Iowa Senate Proposes Making Spyware A Crime

Cooked Chicken writes "Iowa State Senator Keith Kreiman (D) is proposing Senate File 2200, an act making the distribution of Spyware without notice an aggravated misdemeanor, punishable by confinement for no more than two years and a fine of at least $500 but not more than $5,000. The proposed bill also provides victims and county attorneys with the ability to file a civil cause of action for relief from conduct constituting the crime of unauthorized collection and disclosure of personal information by computer."

I'm all for it.

[HotNeedleOfInquiry]

It's illegal to personally use someone's machine without their consent. It doesn't take a huge jump of logic to see that launching a program to use their machine without their consent should be illegal as well.

Re:I'm all for it.

[Bishop]

Gator provides a service of "autocompleting web forms." While this service is useless, Gator can still claim that monitoring every website the user visits is an important part of insureing that Gator works. E.g to diagnose crash information. This really is not much of a stretch and any lawyer would argue this in court. Remember that logic has no place in a court of law. Gator also dosen't give a damn about "personal information" as deffined by para 4.a.1-7 of the proposed bill. Gator is mostly interested in the urlstats, and the interception of add urls. Again a lawyer will argue that urlstats don't constitute personal information under para 4.a.8. Even if Gator did want your vital stats, Gator could ask for the information and most users would fill in the form. (Especially as Gator would use sleaze ball tactics to make it look like there was no easy way to opt out.) This collection of personal stats could be easily argued as a "registration process to better serve our customers." This is not a hard arguement. A typical warranty registration card is mostly marketing questions.

Understand that I hate Gator and the people who write this kind of software. I don't wish to defend them. However through this little thought experiment we can see that any semi-compotent lawyer will be able to get an aquittal for Gator and similar spyware. If charged under this bill Gator would have as many weasels in court as they could afford. A conviction would be more then just a fine and jail sentence. A conviction would be the end of Gators slimey business model.

Penalties

[Bad+Boy+Marty]

In my humble opinion, those penalties are only remotely strict enough if they are assessed per instance installed. Otherwise, even the maximum fine of $5000 is a drop in the bucket for most adware/spyware perpetrators.

Is it solving the underlying problem of spyware?

[Sangloth]

To paraphrase, the bill defines spyware as programs that send "Identifying personal information" without user knowledge or consent. It has a list of obvious exceptions, what's left is spyware.

a. "Identifying personal information" means ...
the following:
(1) Name.
(2) Address, including the street name or name of city or town.
(5) Social security number.
(8) Any other information identifying an individual.
(I cut some stuff out, but you get the idea.)

Do we hate spyware because it sends out this kind of information, or do we hate it because it runs in the background, shows pop-ups, and makes the computer unstable?
I don't have a problem with the bill, but I don't think it target's the underlying problem of nearly self-installing crap-ware.

btw, my computer's always 100% spyware free, it's my parents' computer that's beyond redemption.

Sangloth
I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.

Re:Ashcraft is

I don't see why this is offtopic. It's a rather insightful observation.

The bill as linked to above provides an exception for "legitimate law enforcement purposes." One of the problems with current law enforcement in the US is that illegal searches and seizures usually result in nothing more than the evidence collected, if any, being disallowed in the court. It will now be possible to bring suit for the gratuitous and unauthorized collection of information, as it falls outside "legitimate law enforcement" even if the parties happen to work for a law enforcement agency. If you don't think this affects John Ashcroft, you haven't been paying attention.

What about all those airlines that participated in CAPPS II in violation of their privacy agreements ?

The suits filed won't really collect money, of course, but they will provide a good opportunity to put certain people in deposition where they can say embarassing things. I think it would be good if this law were enforced to the hilt against people like John Ashcroft.

Bad Law

[max+born]

If you have too many laws for the Internet, you'll stiffle its development and waste a needless amount of society's resources.

People will be more apprehensive about developing new ideas for fear of lawsuits and others will spend enormous amounts on litigation.

And even if that's not true.

How could you write such a law. Spyware? What's that? If Microsoft polls your computer for update requirements, would that not constitute a violation of such a law? If so Microsoft will amend its license agreement to compel a user to allow such Spyware. People who write programs will draft similar licenses, then they'll be lawyers, and endless amounts of everybody's time and energy.

I would much prefer a technical solution at the user end, it's cheaper and more elegant.

Re:Bad Law

[HotNeedleOfInquiry]

If you have too many laws for the Internet, you'll stiffle its development and waste a needless amount of society's resources.

Just how does banning spyware stiffle development? Where do you draw the line? And the line does have to be drawn somewhere. As far as I'm concerned, the line is my hard drive. Muck with it without my permission and you've crossed the line.

Re:Bad Law

[cgenman]

It's illegal to use another person's equipment in a way that they don't approve of, why not another person's computer? Does it matter if your mechanic hands you a stack of papers that says, somewhere on page 25b, that your car will be used every tuesday by Stop and Shop? It's still flagrantly illegal. Windows update is understandable behavior for an operating system, whereas if Internet Explorer sent your surfing habits back to Microsoft it wouldn't be.

I'm all for technological solutions, but if I'm going to be legally banned from flamethrowing someone's servers I want some degree of protection in return. Malware is any software that performs activities significantly differently than those it presents to the user for the purpose of doing something the user probably wouldn't approve of. If someone releases a program to stop pop-up advertising, and it turns out to also replace every icon on the desktop with a link to an AOL signup page, I want justice.

The first thing that needs to be done is, of course, throwing out EULA's. EULA's are not a product of necessity for the internet age, but rather an old leech in new clothing. There are widely accepted practices for software usage and sales, and those should be considered the standard.

Everyone knows what "Spyware" is, the same way that everyone knows what "Sexual relations" means. Just because some lawyer may try to make it meaningless by envoking a draconian definition doesn't make it any less meaningful to the person on the street.

Re:Think about it....

[WebGangsta]

Even if it's printed in the EULA, it would be nice if the installer would inform you of exactly what program(s) was being installed, and that the spyware's uninstaller worked and removed it. We've seen numerous cases of spyware programs getting installed behind-the-scenes that don't have valid uninstallers to go with them.

And I'm not just talking about uninstallers for the spyware -- if I install a program that has a tagalong app bundled with it, I expect the original program to have uninstall options for those tagalong apps as well. Otherwise, it's a form of electronic littering.

Some stuff to think about

[j-turkey]

One important thing to remember in this discussion is that many companies spend far more time keeping their networks spyware-free than they do worrying about viruses/worms. I know mine does.

I don't really view spyware/adware/etc as anything other than a virus/worm with an EULA. If mydoom had an EULA attached to it which specifically states how it will work, and what it will do (in perfect legalese) -- should this be legal to write and spread in the wild? I say hell no. Anyway, since EULA's are not signed (in any way), and don't even have to be read -- they're not really an "agreement". They're more of a proclimation. Not only are their names misleading, but certain fundamental rights cannot be taken away by an EULA (and these are). Why not call one of those rights "control over your computer and personal information"? Maybe even redefine how EULAs are written. If you're giving up control over certain functions and information, maybe it should be in BIG BOLD LETTERS in plain English at the top of the agreement (rather than somewhere in the middle, small print, and in legalese so ambigous, most lawyers would read it and say "WTF?").

It's about time that someone did something (not that this is the best thing to do). I'm all about freedom -- let people do what they want as long as nobody gets hurt. However, when software depends on mass trickery in order to propigate, then there is a problem. When it comes to spyware/adware, it's important to let people know what they're getting into -- this is where we should start.