Slashdot Mirror

← Back to Stories (view on slashdot.org)

Iowa Senate Proposes Making Spyware A Crime

Posted by timothy on from the an-official-crime-that-is dept.

Cooked Chicken writes "Iowa State Senator Keith Kreiman (D) is proposing Senate File 2200, an act making the distribution of Spyware without notice an aggravated misdemeanor, punishable by confinement for no more than two years and a fine of at least $500 but not more than $5,000. The proposed bill also provides victims and county attorneys with the ability to file a civil cause of action for relief from conduct constituting the crime of unauthorized collection and disclosure of personal information by computer."

26 comments

  1. Ashcraft is by Anonymous Coward · · Score: 0, Interesting

    moving his money to Brazil as we speak . . . he is so sued.

    1. Re:Ashcraft is by Anonymous Coward · · Score: 4, Insightful

      I don't see why this is offtopic. It's a rather insightful observation.

      The bill as linked to above provides an exception for "legitimate law enforcement purposes." One of the problems with current law enforcement in the US is that illegal searches and seizures usually result in nothing more than the evidence collected, if any, being disallowed in the court. It will now be possible to bring suit for the gratuitous and unauthorized collection of information, as it falls outside "legitimate law enforcement" even if the parties happen to work for a law enforcement agency. If you don't think this affects John Ashcroft, you haven't been paying attention.

      What about all those airlines that participated in CAPPS II in violation of their privacy agreements ?

      The suits filed won't really collect money, of course, but they will provide a good opportunity to put certain people in deposition where they can say embarassing things. I think it would be good if this law were enforced to the hilt against people like John Ashcroft.

  2. I'm all for it. by HotNeedleOfInquiry · · Score: 5, Insightful

    It's illegal to personally use someone's machine without their consent. It doesn't take a huge jump of logic to see that launching a program to use their machine without their consent should be illegal as well.

    --
    "Eve of Destruction", it's not just for old hippies anymore...
    1. Re:I'm all for it. by sdibb · · Score: 3, Informative

      Agreed, but don't those asinine EULAs apparently cover everything? I mean, even one of Microsoft's says that you give them permission to remotely login and change anything anytime for any reason (if I remember correctly).

    2. Re:I'm all for it. by Bishop · · Score: 2, Interesting

      Agreed. I hate spyware. I hate programs that call home with file listings from harddrives. But a nasty law like this is not the solution. There are even enough clauses in section 3 that would allow most spyware as legal. (Read 3a and 3b.) Similar to anti-spam laws this law is not going to stop the sleaze balls. There are already laws on the books now that could be used to punish spyware.

      Worst this is the kind of law that will be used as a trump card to make a criminal out of some kid who causes a little mischief like loading a key logger on someone else's computer. While such an act of mischief should not go unpunnished it is not an aggravated misdemeanor. On of the biggest threats to American freedom is the huge number of laws that can be thrown at someone when prosecutors decide that that someone must be punished.

    3. Re:I'm all for it. by Ethidium · · Score: 4, Informative

      Section 3a allows software programs to determine whether the user is licensed or authorized to use them (i.e. collecting information is not the main purpose of the program)

      Section 3b allows software for technical support purposes on the user's request.

      How does this "allow most spyware as legal?" The infamous gator, for example, is neither.

      --
      \
    4. Re:I'm all for it. by rixstep · · Score: 1

      Right on. The more people react against this junk, the better. And they're gaining momentum. Oh happy day.

    5. Re:I'm all for it. by Bishop · · Score: 2, Insightful

      Gator provides a service of "autocompleting web forms." While this service is useless, Gator can still claim that monitoring every website the user visits is an important part of insureing that Gator works. E.g to diagnose crash information. This really is not much of a stretch and any lawyer would argue this in court. Remember that logic has no place in a court of law. Gator also dosen't give a damn about "personal information" as deffined by para 4.a.1-7 of the proposed bill. Gator is mostly interested in the urlstats, and the interception of add urls. Again a lawyer will argue that urlstats don't constitute personal information under para 4.a.8. Even if Gator did want your vital stats, Gator could ask for the information and most users would fill in the form. (Especially as Gator would use sleaze ball tactics to make it look like there was no easy way to opt out.) This collection of personal stats could be easily argued as a "registration process to better serve our customers." This is not a hard arguement. A typical warranty registration card is mostly marketing questions.

      Understand that I hate Gator and the people who write this kind of software. I don't wish to defend them. However through this little thought experiment we can see that any semi-compotent lawyer will be able to get an aquittal for Gator and similar spyware. If charged under this bill Gator would have as many weasels in court as they could afford. A conviction would be more then just a fine and jail sentence. A conviction would be the end of Gators slimey business model.

  3. Penalties by Bad+Boy+Marty · · Score: 5, Insightful

    In my humble opinion, those penalties are only remotely strict enough if they are assessed per instance installed. Otherwise, even the maximum fine of $5000 is a drop in the bucket for most adware/spyware perpetrators.

    --
    RHCE; are you certified? Karma: ambiguous.
  4. I am skeptical by MobyDisk · · Score: 5, Interesting

    This is a step in the right direction. We need this type of legislation ASAP. However, I should point out:

    This bill establishes a criminal offense of unauthorized collection and disclosure

    The problem is that much spyware explicitly tells the user what it is going to do: in the EULA. But how many users read the EULAs? How many people understand them? As a computer repairman for lots of moms, granny's, and kids, I can tell you that these people won't read the licenses even if I explain to them the importance.

    the crime...by making available or providing access to computer software or an interactive computer service that collects identifying personal information and discloses such identifying personal information to persons other than the user without first giving the user notice.

    Some interesting stuff

    • It's legal if you disclose it in the EULA
    • Making the software available is the crime: So hosting providers better watch out.
    • Malware and adware are still okay
    • "anonymous" usage info is still okay.

    We privacy freaks now understand that "anonymous" usage information tied to "unidentifyable" facts like my sex, birthdate, and zip-code are sufficient to identify me when partnered with other databases.

    1. Re:I am skeptical by Ethidium · · Score: 3, Informative

      RTFA.

      Birthdate and zipcode are both explicitly considered as identifying information under this bill.

      --
      \
  5. About time the Iowa Democrats did something useful by TykeClone · · Score: 3, Funny

    While they're at it, they could make identity theft a capital crime, raise speed limits on rural roads, and skip raising the sales tax.

    --
    A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
  6. Is it solving the underlying problem of spyware? by Sangloth · · Score: 5, Insightful

    To paraphrase, the bill defines spyware as programs that send "Identifying personal information" without user knowledge or consent. It has a list of obvious exceptions, what's left is spyware.

    a. "Identifying personal information" means ...
    the following:
    (1) Name.
    (2) Address, including the street name or name of city or town.
    (5) Social security number.
    (8) Any other information identifying an individual.
    (I cut some stuff out, but you get the idea.)

    Do we hate spyware because it sends out this kind of information, or do we hate it because it runs in the background, shows pop-ups, and makes the computer unstable?
    I don't have a problem with the bill, but I don't think it target's the underlying problem of nearly self-installing crap-ware.

    btw, my computer's always 100% spyware free, it's my parents' computer that's beyond redemption.

    Sangloth
    I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.

  7. Bad Law by max+born · · Score: 3, Insightful

    If you have too many laws for the Internet, you'll stiffle its development and waste a needless amount of society's resources.

    People will be more apprehensive about developing new ideas for fear of lawsuits and others will spend enormous amounts on litigation.

    And even if that's not true.

    How could you write such a law. Spyware? What's that? If Microsoft polls your computer for update requirements, would that not constitute a violation of such a law? If so Microsoft will amend its license agreement to compel a user to allow such Spyware. People who write programs will draft similar licenses, then they'll be lawyers, and endless amounts of everybody's time and energy.

    I would much prefer a technical solution at the user end, it's cheaper and more elegant.

    1. Re:Bad Law by HotNeedleOfInquiry · · Score: 2, Insightful
      If you have too many laws for the Internet, you'll stiffle its development and waste a needless amount of society's resources.

      Just how does banning spyware stiffle development? Where do you draw the line? And the line does have to be drawn somewhere. As far as I'm concerned, the line is my hard drive. Muck with it without my permission and you've crossed the line.

      --
      "Eve of Destruction", it's not just for old hippies anymore...
    2. Re:Bad Law by cgenman · · Score: 4, Insightful

      It's illegal to use another person's equipment in a way that they don't approve of, why not another person's computer? Does it matter if your mechanic hands you a stack of papers that says, somewhere on page 25b, that your car will be used every tuesday by Stop and Shop? It's still flagrantly illegal. Windows update is understandable behavior for an operating system, whereas if Internet Explorer sent your surfing habits back to Microsoft it wouldn't be.

      I'm all for technological solutions, but if I'm going to be legally banned from flamethrowing someone's servers I want some degree of protection in return. Malware is any software that performs activities significantly differently than those it presents to the user for the purpose of doing something the user probably wouldn't approve of. If someone releases a program to stop pop-up advertising, and it turns out to also replace every icon on the desktop with a link to an AOL signup page, I want justice.

      The first thing that needs to be done is, of course, throwing out EULA's. EULA's are not a product of necessity for the internet age, but rather an old leech in new clothing. There are widely accepted practices for software usage and sales, and those should be considered the standard.

      Everyone knows what "Spyware" is, the same way that everyone knows what "Sexual relations" means. Just because some lawyer may try to make it meaningless by envoking a draconian definition doesn't make it any less meaningful to the person on the street.

      --
      The ______ Agenda
  8. Think about it.... by Sayten241 · · Score: 3, Informative

    The problem is that in the EULA of the program it usually says something about you permiting the company to run the spyware. We don't need laws about this, just more competent computer users.

    1. Re:Think about it.... by WebGangsta · · Score: 3, Insightful
      Even if it's printed in the EULA, it would be nice if the installer would inform you of exactly what program(s) was being installed, and that the spyware's uninstaller worked and removed it. We've seen numerous cases of spyware programs getting installed behind-the-scenes that don't have valid uninstallers to go with them.

      And I'm not just talking about uninstallers for the spyware -- if I install a program that has a tagalong app bundled with it, I expect the original program to have uninstall options for those tagalong apps as well. Otherwise, it's a form of electronic littering.

  9. This probably wont do anything... by TJmoney · · Score: 0

    Unless its really aggressive in making this "notice" very clear, and not just hidden in a lisence agreement. Things will stay just like they are, since I believe its already required by law that you are told what you are installing although its fine if its hidden in 10 pages of law-speak. Sounds to me like a senator that wants to make a name for himself by trying to combat somthing people are concerned about, but not actually making any difference at all, similar to the CANSPAM laws.
    Unlike spam, spyware controll can be completely handled by the user. So if you really want a spyware-free computer, you need to take care of it yourself, not ask the government to do it for you.

  10. It's Nice by Mark_MF-WN · · Score: 1

    It's nice that some state governments are willing to look after their constituents. It's just too bad that the US federal government (and most other governments worldwide) are unwilling to take such measures.

    The history classes I've taken seem to suggest a time when western governments actually worked for their citizens, rather than against them. It would sure be nice to see a return to such days. (smarminess intended)

  11. Some stuff to think about by j-turkey · · Score: 3, Insightful

    One important thing to remember in this discussion is that many companies spend far more time keeping their networks spyware-free than they do worrying about viruses/worms. I know mine does.

    I don't really view spyware/adware/etc as anything other than a virus/worm with an EULA. If mydoom had an EULA attached to it which specifically states how it will work, and what it will do (in perfect legalese) -- should this be legal to write and spread in the wild? I say hell no. Anyway, since EULA's are not signed (in any way), and don't even have to be read -- they're not really an "agreement". They're more of a proclimation. Not only are their names misleading, but certain fundamental rights cannot be taken away by an EULA (and these are). Why not call one of those rights "control over your computer and personal information"? Maybe even redefine how EULAs are written. If you're giving up control over certain functions and information, maybe it should be in BIG BOLD LETTERS in plain English at the top of the agreement (rather than somewhere in the middle, small print, and in legalese so ambigous, most lawyers would read it and say "WTF?").

    It's about time that someone did something (not that this is the best thing to do). I'm all about freedom -- let people do what they want as long as nobody gets hurt. However, when software depends on mass trickery in order to propigate, then there is a problem. When it comes to spyware/adware, it's important to let people know what they're getting into -- this is where we should start.

    --

    -Turkey

    1. Re:Some stuff to think about by Yartrebo · · Score: 1

      Even with these changes, you still have the problem of extortion. If I buy software from the store, open it, read the EULA, and don't like it, it is very hard to get my money back. Also, there is the lost time and potential lost business and missed deadlines from having to find another program. Store bought software can also have malware.

      And then you have the unequal position of the two parties (unless you're a very big business).

    2. Re:Some stuff to think about by j-turkey · · Score: 1
      Even with these changes, you still have the problem of extortion. If I buy software from the store, open it, read the EULA, and don't like it, it is very hard to get my money back. Also, there is the lost time and potential lost business and missed deadlines from having to find another program. Store bought software can also have malware.

      As long as retailers accept the software returns, I don't see a problem. As far as lost time and potential lost business -- caveat emptor. That's never been a reason for a creating law (AFAIK). Besides, due diligence has always been a customer's responsibility. I'm not sure that the argument is really relevant because the problem as I see it is definitely not with shrinkwrapped software. It's with software distributed over the Internet. Finally, how in the world is malware extortion? I believe that malware is alot of things (all bad) -- but extortion has never come to mind.

      And then you have the unequal position of the two parties (unless you're a very big business).

      Was this a response in regards to my comment or just your sig?

      --

      -Turkey

  12. Aaah... technology in Iowa! by Anonymous Coward · · Score: 0

    Having in mind the widespread use of technology in Iowa, it is quite understandable how this progressive state came with such a groundbreaking idea...

  13. Employers can spy; illegal cookies? by Randym · · Score: 1
    3. This section shall not apply to persons making available computer software or interactive computer service that is reasonably needed to do any of the following:

    a. Determine whether or not the user is a licensed or authorized user of the software.

    b. Provide technical support for the use of such software or computer service upon request of the user.

    c. For any legitimate law enforcement purpose as authorized by applicable federal, state, or local law.

    d. To enable an employer to monitor employee computer usage while such employee is within the scope of any employment as authorized by applicable federal, state, or local law.

    By the way, this also appears to illegalize cookies.

    4. As used in this section, the following definitions shall apply:

    a. "Identifying personal information" means information that personally identifies a user of computer software or interactive computer service, including but not limited to any of the following:

    [items skipped]

    (8) Any other information identifying an individual.

    --
    DNA is a Turing machine. You, however, being dynamic and emergent, are not.