Slashdot Mirror
Top Web Businesses Oppose Utah Spyware Law
theodp writes "According to MediaPost.com: 'Some of the Web's leading content and technology providers have taken action to lobby against Utah's controversial Spyware Control Act, which is awaiting the governor's signature. Web publishers and businesses including AOL, Amazon, Cnet, eBay, Google, Microsoft, and Yahoo! signed a letter to the bill's sponsors arguing that the bill could create serious repercussions for the entire online community. The parties to the letter warned that the bill could interfere with computer security and would also impair the delivery of local, targeted ads'."
-- Sigh --
Is this yet another example of technologically illiterate politicians eagerly passing bills without bothering to find out what the law is going to do?
At first, I read the post and thought, why are all these businesses opposed to this law? It must be a good law if a lot of big corporations don't like it.
But after reading the article, I think that the legislators' efforts went off half-cocked, and they let one company write the bill to suit themselves.
I wonder why these big companies waited until after the bill passed to begin lobbying. If the governor signs the bill, isn't it going to be a lot harder to get rid of it?
I'm in favor of laws limiting spyware and adware, but I think it's important to get it right the first time. If the FTC doesn't even have a definition for spyware, it's back to the drawing board.
You are in error. No-one is screaming. Thank you for your cooperation.
I doubt anyone is surprised by Microsoft's, AOL's, etc, complaints, but Google and the like? That seems a bit odd.
Do they believe that later legislation will "restrict" even more things that affect their buisness, or do they sponsor spyware?
There's a difference between a *relatively* benign cookie stored in the browser and a trojan spyware program as bundled with kazaa, comet cursor, etc.
Having said that, I'm not sure legislation is the best way to take care of this. Can't we use existing laws in court to fight spyware?
The Problem with AdAware and the like is that they do not actually block programs/controls by their own published guidelines. They also do not respond at all to any sort of dialog to inquire why they choose to block the programs that they do, yet not other toolbars which have the exact same functionality, privacy statements, uninstaller, and installer.
At least thats how I remember it.
Lasers Controlled Games!
I do not want to install their malware, nor should I think it should be legal to trick the user to install it either. If the users knew what kind of program it was, they would not install it. But it has to be hidden behind OS updates, Media Players, shareware, helper programs, toolbars, and other things.
Find another way to make money, I am not buying their defense of Spyware/Adware one bit.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
I've always been puzzled as to how this works. I know there should be lots of cases of such things already (Sharman Networks, for example) where a "local" law is used to prosecute someone from another area.
With the Internet being what it is, how do we effectively enforce such things? Seems like a lot of chest-pumping without much effect. More politicians posturing? So how can local laws be enforced on a global community? (besides pissing enough people off to get the DMCA slapped on you and ruin your US travel itinerary a la Dmitri)
Without having RTFA (yeah, shocking, isn't it), I'd say /big/ business will fight anything they feel would be the slightest inconvenience to their business-as-usual focus on p.r.o.f.i.t.
"What?! Testing DDT before spraying it EVERYWHERE? What don't you understand: No bugs!! You friggin commie business playa-hata."
"Waddyamean cigarettes might be bad for pregnant women?? What? No, of course we don't need to test it - it's silky-smoooth isn't it?"
"Union? You're fired! Unite that, buster!"
"Our cars burst in flames, you say? For no apparent reason, huh? Well ...how 'bout that.. look, cows!"
668.5
I'm not sure whether this is supposed to be actual "news" or just a PR release. I know nothing about the actual bill, but this article definitely did not help me understand it. Why is Slashdot covering such a biased piece?
Turns out the FTC is gonna be hosting Spyware workshop here in DC in April. FTC Workshop Information
The workshop is titled Monitoring Software on Your PC: Spyware, Adware, and Other Software and will take place on April 19, 2004. It is open to the public and there is no attendance fee.
On the site is information on how to submit a public comment to the records of the event.
Still Mud? Try www.phoenixmud.org!
Which means that your browser, which routinely sends each web site you visit a referring URL, is spyware in Utah.
Well, except for Internet Explorer, that is. Since IE is part of the operating system, it is excepted from the definition of spyware by subsection (5)(c).
I'll leave it to the foilhats to decide whether Bill Gates has been donating heavily to the Mormon church.
Ceci n'est pas une sig.
But then, requiring all stuff open source would remove a lot of incentive for doing a lot of specialized stuff.
I have no problem with something like a core algorithm for a motor control being proprietary, or maybe databases - but I feel strongly that one requirement that should go in exchange for the legal mandate of keeping my nose out of it is that it be very clear that the responsibility for what the code does rests squarely with the one claiming ownership of the proprietary code and takes *all* legal liability for *any* consequences of using that code.
The business caveat for Open Source code is that in exchange for letting you in on its innards, is that you are supposed to read and understand the code, and thereby know its actions when executed.
Code doesn't lie. If it doesn't do what you expected, there is no one out there responsible for it. You may contact the author, or support organizations, and you are free to negotiate suitable arrangements for technical support if you can't read or don't have the time to tune the code so it does exactly whatever it is you wanted.
It sure looks to me that they see this Utah legislation as throwing a monkey wrench into their business plan of first snaring an audience, then once they become dependent on their services, then requiring them to install proprietary software. Pacific Bell did that to me. I went for years on their dialup. Suddenly I start getting emails from them telling me its mandatory that I visit their website and download their proprietary Yahoo code. I read the EULA, and again saw all those disclaimers of any liability, as well as implicit permission to share my stuff with their marketing partners. I just about puked at that point. I hated to kill that account, but I had to.
It seems to me the largest vector for viral infections is the use of any programs ( which, by their very nature, require permissions to run and access the TCPIP stack ) to execute rogue scripts. Microsoft's stuff is full of it. Linux would be too if it were as popular. I do not see the problem as being OS-centric, as rogue programs and exploits can be written to exploit an executable under any OS. Any other programs demanding executable permissions ( plug-ins, etc. ) out there only open up yet more security problems. Anyone who has surfed the net notes that an ever-increasing number of webmasters are now requiring the use of some specialized plug-in to view content instead of just using the standard way of doing the exact same thing. These specialized plug-ins are wide open for spoofing and tampering, as by their nature, once installed, they are given the keys to the kingdom.
It looks to me this legislation would effectively bar the trickery of demanding installation of plug-ins ( which may well have ulterior motives unseen by the downloader ) to view content.
I feel a lot of the internet businessmen have been watching the supermarkets and their "value cards" and have been thinking of implementing it on the web. I get the idea each has been tinkering with getting their proprietary bots in our machines much like the supermarkets coerced their cards into our wallets and purses. This legislation looks like it throws a monkey wrench into that plan.
Go for it. It may ( like the DMCA ) need some adjustment later, but for now, it sure looks like it will help curb the flow of exploitable code people are demanded to install at the whim of webmasters who inflict this on their visitors.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Good point, but it might be tough to fake them out if you're running Linux and their crap is a .dll
If I went to gator.com (or whatever their website is) and downloaded their marketing software, that would be one thing. But I haven't, and never will. My guess is 98% of people wouldn't either. I don't want to be plagued by their crap. If I wanted to be some kind of running marketing/advertising survey participant, there are places I could go to do that (e.g. NPDOR.com) As it is, I don't even plug my satellite IRD or cable receiver (yes, I have both) into the phone line b/c I don't want them reporting my viewing statistics. I am not a guinea-pig for Nielsen, and neither is my PC.
So yah, fsck MS and Yahoo! and the rest. Destroy all spy/mal-ware and tar-ball and feather the spammers! I shouldn't have to run software on my PC to find out if some asshole webmaster or programmer is hunting for my name/email/home address/surfing habits, etc. Spyware, malware and the like are just overblown viruses (and just as malicious in many cases), and should be treated by the authorities as such. If Y! can and wants to denote my viewing habits within their site, that's fine. I subscribe to their service and use their hardware. If I click on an ad link (I won't), they can track that without ever installing software or cookies on my PC. Sure, that takes some horespower from their servers and space in their DBase, but I don't recall signing up for a Y! "Help us cut costs" distributed computing project. If I should provide my real name, address, or zip code to Yahoo! (I haven't, and won't) and they say they reserve the right to use that info, that's also ok, assuming I'm made immediately aware of this in very plain text at the top of the EULA. I even fed them a nearby zip code... I don't mind that there's an ad on my email page; That's how they make their money. I still won't click-thru, but they get paid by the impression, so if they want to send me ads local to Atlanta, that's ok, just so long as they
The Internet may be the next big advertising medium (it's gotta pay for itself somehow), BUT MY PC IS NOT!
Final thought for close. It is permissible for neighborhoods and office parks, etc., to put up signs saying "No Soliciting". This means that you can't just walk onto mine or someone else's private property and harass them to buy something. People have been shot for less. There is a sign outside of my neighborhood that says "No Soliciting". Boy/Girl Scouts are ok in my book. Jehovah's Witnesses and Insurance salesmen offend me, and I don't want them at my door bugging me. The law gives me the recourse, when properly posted, to have these people fined or in some cases arrested. Used to be bulk mailin my Snail-Mail box. That was bad enough but went away with the internet (USPS must miss those days). SPAM in my email box is just as bad. But installing software/cookies without my consent (something no one will *EVER* get legitimately) is no different than a salesman violating my personal privacy and property to come into my home and pitch me stuff I don't want. I almost never watch TV. Never mind the lack of content on the tube ('cept for Stargate, Enterprise CNN/FNN, and Discovery Wings), the advertising is obnoxious... Can't even legally get a filter to tone down the volume of commericals. But I do suscribe for that content. Thank any and all G-d's that ISP's don't operate th
"Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
One should also take note that the reason these big companies are so opposed to this anti-spyware bill is that the information gathered by companies such as Gator, Comet Cursor, Doubleclick, Wildtangent, etc... serves as a veritable goldmine for marketers inside MS, Amazon, and a whole bunch of other big companies. If they know what we're browsing, how we're browsing, then they know what we like, what we used to like, and what we don't like. Knowledge like this is what marketers DIE for. They have an undying urge to understand the consumer, and the spyware companies can (and most likely do) provide this information for a price. This is obviously a fight to took keep this information flowing smoothly.
... is curtilage.
Nothing about "privacy", it's more simple than that. It all comes down to who owns the machine... who is accountable for what it does, and who has authority of what it does.
Spyware is all about authority, without accountability. Period.
In real life, though you cannot have one without the other. Consider the typical business, or household setup - you have...
a) A hardware device, and Dad (or the sysadmin) owns it. He's the one the feds will arrest, first, when his IP address is linked to a pile of kiddy porn.
b) Software licenses, owned by the licensee. Note that this person is *not* usually the same dude as the hardware owner... consider co-locations, or consider the game that Mom bought, to put on Dad's machine, for little 5 year old Billy to play.
c) Users. These are the people who actually use the software, in concert with the hardware. Note that they own neither.
You can see how authority, and especially accountability, come into play. Little Billy has no accountability, therefore he cannot have any authority. Giving him authority means he can bind Dad into any license agreements that come down the pike; despite that Dad may have explicitly forbidden such agreements.
Likewise, Mom only has authority over the software license. She has no implicit rights to any of the hardware... she cannot loan it to a friend, sell it, lease clock time, or whatever. She can do whatever the hell she wants with the license, however, because it's hers... which includes letting Billy take one of her seats. Billy cannot reassign the seat she's given him, however, unless she agrees. After all, come License Violation Time, it'll be enforced against HER, not Billy.
Same goes for the hardware - when all is said and done, Dad (or whoever owns the hardware) is going to be implicated.
The perfect world respects this setup. In fact, it adds another layer - the Network Guy.
The Network Guy owns all the cables, switches, routers that connect the machines to whatever. In the perfect world, he hates everyone... bandwidth is precious, and every packet is metered and paid for in blood. He has the right, since HE OWNS IT, to demand only certain types of traffic occur, and he has the right to demand that noone may deviate from his plan.
The hardware owner pays the blood to the network guy, and he hates him for it. He also hates the software licencees - they're forever encumbering his machines, and he doesn't do it lightly. In fact, he demands (since HE OWNS THEM) that noone has any right to install anything, nor bind him to nor involve his hardware with any EULAs or whatever, period. CPU and drive assets are precious commodities, and those machines exist exactly to fulfill HIS purpose, and noone else's. He also hates the network guy, since the network guy is forever allowing packets to bounce off his NIC - which the machine reacts to, and causes an unauthorized change in state in the machine. The network guy has no right to cause such changes, unless the hardware owner has specifically agreed that those types of changes are allowed. The hardware guy is only allowed to cause specific changes in state of specific pieces of the network, and the networ guy is only allowed to cause specific changes in state of specific hardware devices.
The software licensee is hated by all, and hates them all back. This person has no home, and has no implicit rights to anything other than, exactly, delegation of the licensed seat(s). This person is free to agree to whatever EULAs, terms restrictions, mortgage payments, or other encumberances... all day long, it matters not. However, they have no right to any of the hardware, nor any of the network - both of those resources must be negotiated for, separately. Both the hardware owner and the network guy will refuse to be bound by any terms in the license, since they have no interest in it, and both refuse to delegate any of their authority to the licensee. After all, she's a Typhoid Mary.
F
help me i've cloned myself and can't remember which one I am
I've got a particularly strong conspiracy theory about this. It goes like this:
1. The government should invest all the money for consumer protection in consumer education and programs to inform the public; do away with regulation; let the market make decisions.
2. Informed consumers would not simply click on something, or buy something etc.
3. Making it harder to sell things, more expensive, lowering profits.
4. So the government actually helps big business by pretending to hurt them with regulations. It doesn't abolish regulations and invest in education, empowering people to vote with their pocketbook, because it would work.
The only thing I can't figure out is if harboring this idea makes me ultra-liberal or ultra-conservative...
Sarcasm and hyperbole are the final refuges for weak minds
I'm almost at a loss to begin answering, because to me it's obvious that none of Linux's protections help here at all. The main problem is that the user can be fooled into pressing whatever buttons are needeed.
.bashrc, etc., to launch them on login. Copy an app like Mozilla to a hidden file, apply a binary malware patch, and change the desktop menu/icon to point to the hacked copy. Download a hacked glibc to a hidden locatin and set LD_LIBRARY_PATH in .bashrc to point there - then any kind of horror is possible.
It's really a two part question: how will the malicious code get run initially, and how will it insert it's back doors. There are many ways - here are some of the more obvious.
Initial Running: probably by the same mechanism that spyware uses today. Offer a "free download" with the spyware bundled. The same people that run it on Windows will run it on Linux. And don't say they won't have root - they will have to have root if Linux replaces Windows. Anyhow, root is not really needed, as I'll show.
Creating Backdoors:If the malware is installed by root, anything goes. Daemons added to the rc scripts, possibly a rootkit to cover up, possibly kernel modules that add all sorts of nasty advertising hooks. Imagine if every time text is read from a file or a socket, a brief ad is prefixed. Yuck!
If the user merely runs the malware once under his own ID, many tricks are still possible. Immediately launch a background process that continues the malware installation after the "bait" app exits. Hide malware executables in densely populated directories like the browser cache, and modify
Of course, you can cheat and use a buffer overflow for the initial install, but to stay congruent with Windows spyware we should assume tricking the user into running a "bait" application.