Slashdot Mirror
The Pure Software Act of 2006
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
How do they plan on labeling software solely distributed over the internet? I'd venture to say that 90% of the spyware that's out there comes through download-only software (DivX, peer to peer software, etc...).
Implementation would be far too much trouble. Developers would fight you at every turn. Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients? Would that carry the same label as a program that logged every keystroke and sent that back?
To implement it. Software is created internationally, especially some of the riskier/more questionable stuff. Congress can pass laws all the want, but it's going to be difficult to get a programmer in Uzbekistanajanina to follow.
As that article says, most of the proposals to control spyware get bogged down in trying to define spyware without catching sofware that is clearly legitimate, such as an antivirus program trying to "phone home" automatically to update its virus signatures.
I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.
Spammers are going to ignore this, just like an unsubscribe link.
The people who get spyware are the stupid and the elderly. Switching to linux would make things even worse for them.
"Well, it took an hour to write, I thought it would take an hour to read."
I can hear the software vendors right now. "Oh, sure, I'm going to label my software as 'pop-up', that'll bring in the customers, oh, yeah!" More likely, they'll fight it on the grounds of anyone who ever made or makes use of the Yes/No dialog box -- "That's a pop-up, too, make them label their software." Totally meaningless.
Oh, I don't know. You could have said the same thing about food labels, but the fact is a lot of the food industry actually wanted them. I would think the same about this. Honest software vendors (which is still the majority of the industry), I would think would jump at the chance to be part of something like this, because it would help distinguish why their software is better than the shyster spamware and adware companies' stuff. I mean what if on the one hand you have Real with a whole bunch of scary icons, and on the other you have Apple with only one or two for QuickTime/iTunes? If I were Apple I'd be very happy about this. That's just one example; the easiest that came to mind. In every category you'd have companies on both sides of the issue, depending on who would benefit; it just depends on who's got the most lobbying power in each specific case.
And btw, to respond to another early comment, I too wondered initially what a certain musical duo was doing putting forth software regulation recommendations when I first read the posting.
The people who get spyware are the stupid and the elderly. Switching to linux would make things even worse for them.
I believe you just made the case for Mac OS X.
Why not use Mr. Yuck! stickers and icons all software that uses unsavory practices?
No need to make it complicated...if it's got any characteristics like spyware it's crap and gets a Mr. Yuck. Simple.
A feeling of having made the same mistake before: Deja Foobar
The food and drug industry is heavily regulated, and is substantially easier to control than software because producers need to be licensed with various governmental bodies, depending upon the country. Rightfully so, as lives are at stake.
If this sort of labeling scheme is to achieve widespread adoption, it will need the same sort of tight regulations. I don't believe that the majority of developers would enjoy this at all... imagine having to have upgrade releases and patches approved by the Federal Software Administration, before being allowed to legally distribute it to the public. Throw in the fact that it would take several decades just to get a minority of the world's countries on the same wagon, and consider that most "scumware" (to generalize) comes from outside the U.S.
It's a great idea, but the execution is all wrong. More appropriate would be to grant developers the ability to have their software approved as "Popup free" or "Doesn't Phone Home" or the inverse of the many other icons that Simson Garfinkel (sounds like a joke) proposes. This legislation would prove a lot harder to fight from an industry perspective.
This comment is fully compliant with RFC 527.
If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
The Pure Food and Drug Act, while seemingly innocuous in its time, paved the way for the current prohibition against certain drugs in the US (and most of the world) and led to all of the excesses and perversions of the government's "War on Drugs". How could this proposal (well-meaning and topical as it seems today) come back and bite us in the future?
Perhaps deeply immersive and psychologically convincing virtual reality of the future will be deemed to be software with the potential to cause harm and no redeeming properties. Then the government would be well within its "rights" to prohibit the software's use and impose draconian penalties for possession or distribution (especially if you have the source code).
People in 1906 let the government have say over what they put in their bodies because of fear of contamination (and outright fraud), are we going to let the government have say over what we put on our computers because of fear of ad- and spy-ware?
American McGee is, in my opinion, an emblematic case of this phenomenon. Why was his game called "American McGee's A.L.I.C.E."? Do you ever hear about "John Smith's BullshitGame 2003"? I think not (we won't get into whether or not the game here sucked, which I believe everybody can agree with). Why was Mr. McGee a speaker at so many industry conventions and trade shows? Was it because of his amazing intellect and insights? His colorful lively presentation style? The quality of his work in the gaming industry? No, it's because his fucking name is "American McGee".
Simpson Garfinkel is a pretty good tech writer. Certainly a lot more knowledgeable than some of the idjits out there. But first and foremost, his success and the attention he gets is because his name is eminently brandable and memorable due to its remarkable resemblence to "Simon and Garfunkle". This works at a subconscious level, from what I've observed, even when people don't immediately note the resemblence of his name - they note what a strange name it is, and they always seem to remember it later if they encounter it again.
I won't bother getting to all the other examples of this phenomenon at work - some of them are people I know personally who are great people but owe much of their success to this kind of clever branding ("Jennifer 8. Lee" anyone?). The power of this phenomenon is undeniable. We may all sit around and think we are above this kind of low-level marketing manipulation of our brains, but we need to face the facts: we are being manipulated by the Strange Name Mafia into their sick and twisted view of the technology industry.
Boycott weird-named pundits. Err. Or something.
Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.
In otherwords, sometimes the labelling will simply get in the way of the whole truth.
Kinetic stupidity has a new brand leader: Allen Zadr.
Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware.
Sorry, but that's complete and utter bullshit. My tech team spends too much time cleaning up after malware. I made the mistake of switching our organization over to IE several years ago, mainly due to complaints about compatibility. The majority of these nasty malware programs take advantage of design flaws in IE to enter the system and remain there.
I'm now testing Netscape 7 as a standard browser. It cannot be modified, or accessed through the operating system as can IE. Therefore, most of the loading schemes used by malware do not work. So IE is definitely part of the problem. IE is part of Windows, so it is Windows' fault. Malware programs modify Windows so that they can run as extensions to the operating system, and no actually up as a process in the process list.
Fred
"A fool and his freedom are soon parted"
-RMS
You're talking about viruses, and of course anyone who wants to break the law can do so. Right now though, there is a large class of software created by companies that say what they are doing is perfectly legal. They claim that by having a user click OK on a dialog box they can do pretty much anything they want on that user's PC. And they are doing this brazenly, out in the open, and in the clear view of the governing agencies. LOP.COM is one of the most-despised pieces of spyware around and still the guy from C2/LOP has the ballz to file a comment for the upcoming FTC spyware conference saying LOP is the future of Internet advertising!
Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."
Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?
Spyware doesn't come with the products you buy in a store. It comes from web pages in the form of activex driveby installers, with crappy software "bundles" in p2p programs, and so forth. The techniques used to install are deceptive, and will work around whatever laws you try to put on them.
The solution is to have intelligent security (e.g. not everyone is the fucking admin user, and your web browser doesn't happily run code from other web sites). It's not rocket science.
This will help with the companies like Limewire who are pretty much legit but morally questionable, which is good.
Unfortunately, however, the worst spyware/malware I've seen, the stuff that really grinds computers into the ground and makes people call me to fix their computer that 'just broke' is porn browser bars, porn autodialers etc. These are the kind of companies who are just below the bar of complying to the law but still a little way above outright theft. The legislation is a good idea, but what it'll mean is that there's less spyware out there and what does stay active will be all the worse and better hidden too.
Aside from the pop-ups one (which may be difficult to "guage"), all of these features could be good or bad depending on the circumstances. The logic being, IF it has a lot of icons, AND you trust the company, then it's still safe to buy.
OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.
Example:
Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.
I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.
And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The solution to this is a 'Clean' icon. If the software has it, it by definition does not have any of the behaviors denoted by the other icons. Trademark all the icons, and make sure that people can only use the 'Clean' icon if the code is verifiably clean (which you can pay to have done for you).
- The Amazina Llama
...why not do a similar thing for everyday software?
In commercial avionics there is a standard that describes the testing (and other) obligations for a software manufacturer. If you see a product certified to DO-178B level A, you know it can be used for a life-critical purpose. If you see DO-178B level E, you know they only slapped the label on something they developed without any formal development (and testing) process.
If software manufacturer are to be obliged to disclose the amount of spyware they distribute, then they should by the same account disclose how many bugs we expect them to distribute. Just make an-easy-to-go-through certification in order to disclose how well you've tested your software to meet the requirements, and you're in business.
C.
You have to remember that Windows is targeted more towards the Grandma/non-tech-inclined crowd, not the /. crowd. Whereas you would know what this means, Grandma wouldn't have a clue and just click 'Yes' to continue installation so she can watch the halarious video with the cats in it.
Again, "do I want to start up 'ClockSync' at boot? Sounds important, I probably should!" Not to mention that there is no way that they'd break compatibility by removing support for all but one startup method. I do like the idea of a "pretty Startup icon," so long as it incorporates applications from ALL startup methods. (But then, how do you deal with NT Services? You don't really want Grandma disabling the "Windows Audio" service--oops, now sound doesn't work.)
You're probably talking about ActiveX, which can be very useful. The better way to go about this would be if the Code Signing Authorities (VeriSign, etc.) would have more stringent requirements before they sign spamware. (By default, unsigned code won't run.) Unfortunately, with VeriSign, this won't happen anytime soon. (*caugh* SiteFinder *caugh*)
I do beleive the upcoming IE has a built-in popup blocker.
Which is exactly what Windows Installer is designed to do.
Good idea, but Grandma will never use it. The more enlightened will use The Proxomitron anyways.
You can use ACLs to prevent writes to those directories. However, when something tries to write to one of those folders, there could be a prompt along the lines of "Do you want a shortcut to AwesomeShitwareApp installed in the Quick Launch?" Downside: The good apps with nice installers already do this, would piss some people off that they are being asked the same question twice.
What ever happened to caveat emptor?
If you don't know what you're buying...don't buy it.
I have discovered a truly marvelous
Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers.
So this guy really feels that employers who monitor company computers are spying on their employees? Should closed circuit cameras be taken down to prevent spying on employees? It's a company computer... they can load whetever software they like on it!
.:diatonic:.
The labels in the article are indeed negative. There is a strongly perceived difference between "This product does something you might not like" and "This product behaves well."
Hmmm...I don't know that I want to work that hard. When I install a new program, I usually don't know very much about it, so it would be rather hard to tell what behaviors are needed. I am a geek, so I could probably get it right most of the time if I took the trouble. Same would be true of reading the EULAs. But most software users are not geeks and letting them pick and choose the options that you suggest seems entirely unworkable regardless of the UI. It might work for you, but it would be a disaster for most.
Additionally, I believe the story goes that he worked as a janitor in the building that ID had their offices in and somehow got his foot in the door that way.
Yeah this is stupid. Basically people who write this crap-ware would have to have a label that says, in effect: "This software will do something you do not want it to. It will annoy you and may expose personal information. Do yourself a favor and do not install it."
Plus this is yet another American idea. The Internet is bigger than America. American laws would only protect people from software written in America. What about all the crap-ware that gets written elsewhere?
Bottom line: I give this idea 9.5 out of 10 stupids.
Be happy. Nothing else matters.
But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity.
To agree with you, I'd have to accept that popularity, and not design, is what creates security flaws. No, sorry, I'm not buying it. Netscape, with it's 6 major vulnerabilities that have long since been patched, I can sit here and surf all day without picking up any malware. Windows is the problem, and IE is the enabler, if you will. I'm going to be switching our network workstations over to Netscape, and EULA-be-damned, I'm going to find a way to cripple IE.
Fred
"A fool and his freedom are soon parted"
-RMS
I've never had the png problem you speak of so I can't comment on that - surely associating the .png extension with something other than Quicktime will fix it though.
However, bad software practises that discourage freedom and innovation? Please when you make these claims back them up. Like the OS X microkernal being open source? Like giving significant help and assistance to the KHTML engine in return for its implementation in Safari (which increases its usage in the wild by many magnitudes)?
Sure, corporate entities keep secrets, and some of these secrets relate to software, but guess what? These things cost money to make, and if Apple were to give away all the stuff it worked hard on then its 11,000 employees would be literally going hungry.
As far as fair play with ITunes Music Store, you are being WILDLY unfair - the terms, by any normal standards - are unobtrusive. You can use your music on more than one computer (three) you can use your music in your movies and DVD's (if you use iMovie and iDVD on your Mac), you can burn your tunes to CD as many times as you wish. Tell me of one other large commercial online music store with better DRM than this. Apple should, in fact must, be congratulated on forcing the RIAA and the labels to bend this far - no one else even got close.
This sig has been deprecated.
For downloaded programs, how about putting the warning label on the installer's EULA screen, above the fold? (The "fold", in human interface design, is the first line of text not visible in the initial state of a scrolling text box.)
So? Nearly every program my company writes does all of those as well. And our customers love us for it. More power to them. The fact that they love you for it implies that they know that you do it. As a consumer, I have a right to know how my machine is going to change when I click setup.exe. How many people do you think would have installed bonzi buddy if they knew all the different crap it did?
Yes, my only tool is a hammer. And you're starting to look like a nail.