Slashdot Mirror
The Pure Software Act of 2006
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
Anyway, did anyone else read this and think immediately of the Evil Bit? The whole thing has got to be a joke, right?
John
Anyone see the name as "Simon and Garfunkle"?
I'll go back to work now...
First he writes "Bridge Over Troubled Waters" and now this!!
"Would you, could you, with a goat?" Dr Seuss
How do they plan on labeling software solely distributed over the internet? I'd venture to say that 90% of the spyware that's out there comes through download-only software (DivX, peer to peer software, etc...).
Implementation would be far too much trouble. Developers would fight you at every turn. Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients? Would that carry the same label as a program that logged every keystroke and sent that back?
to denote buggy code?
Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware. You can still right a program which uses 100% CPU Usage and makes everything really slow,etc. for another OS, no matter how secure. Unfortunetly, its targeted at windows. My friend thought that windows XP was horrible because it was running so slow. On a 2ghz, it would take 5 minutes to load IE. I showed him Ad-Aware from lavasoft. It detected 589 spyware objects, quite a few of them different. I found that a big problem with spyware, is not only the spying, yet the fact that it slows your system to a hault. If this works, and makes spyware go away, or atleast well known spyware label itself (such as gator), I will rejoice.
Help Fight SPAM today!
to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.
By opening or removing the seal to this package you agree to abide by the terms explained in the enclosed EULA. By the way, this product contains software code, which, by installing on your computer, could render you utterly defenseless from intrusion, viruses, worms, trojans, popup advertising, loss of data, loss of privacy, NOT TO MENTION putting you on an endless treadmill of planned obsolescence, making you a pawn in the global theater of consumer rape by corporations. Enjoy!! Oh, yeah, we don't guarantee that the software works, and, no refunds.
As that article says, most of the proposals to control spyware get bogged down in trying to define spyware without catching sofware that is clearly legitimate, such as an antivirus program trying to "phone home" automatically to update its virus signatures.
I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
Read up on how she's bought-and-paid for by a loan from Real Networks - a loan that Ms. Cantwell got to pay for her campaign by using her insider shares she got from Real - and a loan that was supposed to have been called in when Real's stock price tanked.
And that's just Real - anyone wonder how many Senators, Congressmen, and President's Bill Gates has on his payroll?
That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.
Spammers are going to ignore this, just like an unsubscribe link.
Software vendors will have no incentive to put negative labels on their products; even if it's the law, they'll find some loopholes to avoid the labels. Instead, they would have more incentive to use labels that are positive. Instead of making a vendors say, "Yes, I use spyware," it makes more sense to award well-behaved programs a positive seal of approval which means, "This software uses no spyware, is uninstallable, etc."
Looks like this software contains 36% of my daily value of spam, but it does contain 200% of my daily requirements for internet messaging.
Free Flat Screen
Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.
Of course not, but the makers of legitimately well behaved products will. You look at two food cans... one has a label with ingredients and such and the other one doesn't. Which one will you eat?
This to work would require one or more bodies like the ESRB to test products, assign the correct labeling, and go after abusers.
Tom the Sigless
The people who get spyware are the stupid and the elderly. Switching to linux would make things even worse for them.
I believe you just made the case for Mac OS X.
The Pure Software Act of 2006
100 years ago, Congress passed a law requiring honest labeling of food and drugs. Now the time has come to do the same for software.
By Simson Garfinkel
The Net Effect
April 7, 2004
Spyware is the scourge of desktop computing. Yes, computer worms and viruses cause billions of dollars in damage every year. But spyware--programs that either record your actions for later retrieval or that automatically report on your actions over the Internet--combines commerce and deception in ways that most of us find morally repugnant.
Worms and viruses are obviously up to no good: these programs are written by miscreants and released into the wild for no purpose other than wreaking havoc. But most spyware is authored by law-abiding companies, which trick people into installing the programs onto their own computers. Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers. Such programs cause computers to betray the trust of their users.
Until now, the computer industry has focused on technical means to control the plague of spyware. Search-and-destroy programs such as Ad-Aware will scan your computer for known spyware, tracking cookies, and other items that might compromise your privacy. Once identified, the offending items can be quarantined or destroyed. Firewall programs like ZoneAlarm takes a different approach: they don't stop the spyware from collecting data, but they prevent the programs from transmitting your personal information out over the Internet.
But there is another way to fight spyware--an approach that would work because the authors are legitimate organizations. Congress could pass legislation requiring that software distributed in the United States come with product labels that would reveal to consumers specific functions built into the programs. Such legislation would likely have the same kind of pro-consumer results as the Pure Food and Drug Act of 1906--the legislation that is responsible for today's labels on food and drugs.
The Art of Deception
Mandatory software labeling is a good idea because the fundamental problem with spyware is not the data collection itself, but the act of deception. Indeed, many of the things that spyware does are done also by non-spyware programs. Google's Toolbar for Internet Explorer, for example, reports back to Google which website you are looking at so that the toolbar can display the site's "page rank." But Google goes out of its way to disclose this feature--when you install the program, Google makes you decide whether you want to have your data sent back or not. "Please read this carefully," says the Toolbar's license agreement, "it's not the usual yada yada."
Spyware, on the other hand, goes out of its way to hide its true purpose. One spyware program claims to automatically set your computer's clock from the atomic clock operated by the U.S. Naval Observatory. Another program displays weather reports customized for your area. Alas, both of these programs also display pop-up advertisements when you go to particular websites. (Some software vendors insist that programs that only display advertisements are not spyware, per se, but rather something called adware, because they display advertisements. Most users don't care about this distinction.)
Some of these programs hide themselves by not displaying icons when they run and even removing themselves from the list of programs that are running on your computer. I've heard of programs that list themselves in the Microsoft Windows Add/Remove control panel--but when you go to remove them, they don't actually remove themselves, they just make themselves invisible. Sneaky.
Yet despite this duplicity, most spyware and adware programs aren't breaking any U.S. law. That's because many of these programs disclose what they do and then get the user's explicit consent. They do this with something that's called a click-wr
Why not use Mr. Yuck! stickers and icons all software that uses unsavory practices?
No need to make it complicated...if it's got any characteristics like spyware it's crap and gets a Mr. Yuck. Simple.
A feeling of having made the same mistake before: Deja Foobar
No thanks. I have more trust for "disinterested" third parties that verify and publish on their own. A more helpful law would be one that protects the researchers (even amateur ones) from harassment (legal or otherwise). It's a slippery slope, it will not end with labeling.
I *don't* want that to happen with software! I'd much rather retain the right, as fair use, to legally modify crap-ware, and also have the right to discuss the details of that modification with other people.
Fred
"A fool and his freedom are soon parted"
-RMS
The food and drug industry is heavily regulated, and is substantially easier to control than software because producers need to be licensed with various governmental bodies, depending upon the country. Rightfully so, as lives are at stake.
If this sort of labeling scheme is to achieve widespread adoption, it will need the same sort of tight regulations. I don't believe that the majority of developers would enjoy this at all... imagine having to have upgrade releases and patches approved by the Federal Software Administration, before being allowed to legally distribute it to the public. Throw in the fact that it would take several decades just to get a minority of the world's countries on the same wagon, and consider that most "scumware" (to generalize) comes from outside the U.S.
It's a great idea, but the execution is all wrong. More appropriate would be to grant developers the ability to have their software approved as "Popup free" or "Doesn't Phone Home" or the inverse of the many other icons that Simson Garfinkel (sounds like a joke) proposes. This legislation would prove a lot harder to fight from an industry perspective.
This comment is fully compliant with RFC 527.
If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
The Pure Food and Drug Act, while seemingly innocuous in its time, paved the way for the current prohibition against certain drugs in the US (and most of the world) and led to all of the excesses and perversions of the government's "War on Drugs". How could this proposal (well-meaning and topical as it seems today) come back and bite us in the future?
Perhaps deeply immersive and psychologically convincing virtual reality of the future will be deemed to be software with the potential to cause harm and no redeeming properties. Then the government would be well within its "rights" to prohibit the software's use and impose draconian penalties for possession or distribution (especially if you have the source code).
People in 1906 let the government have say over what they put in their bodies because of fear of contamination (and outright fraud), are we going to let the government have say over what we put on our computers because of fear of ad- and spy-ware?
Ya, I use Windows XP. Even though I have a firewall and keep my patches up to date, I still get adware/spyware once in a while.
I would get 0 adware/spyware if Microsoft wrote a little bit of security into their operating system in a few ways:
- Record log of installed files (prompt for any files being installed in non-specified directlories.. ie: If realplayer trys to install realisawesome.dll in C:\windows\system32, WINDOWS itself prompts me.)
- Prompt for any programs trying to start up with the computer
- Have only one method for a program starting up with a pretty little 'startup' icon in the control panel
- Disable IE's install on demand by default (probby most common method for spyware)
- Allow users to disable popups without a fucking extra program (fuck developers and their incessant popups - MS gives way too much control to them and none to the end user)
- Have Windows control the uninstall and not some crappy script written by the same company that wrote the crappy software that user wants to uninstall cause' it was crappy
- Allow the user to enable plugins only when desired (disable flash advertisements and stuff)
- Quit allowing programs to install a shortcut in startup, the quicklaunch bar, the desktop, every goddamn folder on the computer, favorites, and quit launching a secondary program just to launch a button that launches the main program!!!
This is how you could fix things in Windows.. Linux is pre-fixed.
So, you Linux nerds, why the hell aren't we trashing Microsoft in this thread? They're fixing 'security', but not the type of shit Mr. Stupid Enduser cares about.
--- We need more Ron Paul!
Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.
In otherwords, sometimes the labelling will simply get in the way of the whole truth.
Kinetic stupidity has a new brand leader: Allen Zadr.
You're talking about viruses, and of course anyone who wants to break the law can do so. Right now though, there is a large class of software created by companies that say what they are doing is perfectly legal. They claim that by having a user click OK on a dialog box they can do pretty much anything they want on that user's PC. And they are doing this brazenly, out in the open, and in the clear view of the governing agencies. LOP.COM is one of the most-despised pieces of spyware around and still the guy from C2/LOP has the ballz to file a comment for the upcoming FTC spyware conference saying LOP is the future of Internet advertising!
Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."
Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?
Oh, if only that were true.
There's this relatively new thing out there that's called Morze. I think it comes with the package that installs VirtualBouncer and Ad Destroyer.
It's awful. It creates 10+ randomly-named executable files in the Windows directory, and puts shortcuts to them in the start menu (in 98, it also puts duplicates in windows\all users\start menu\programs\startup, so it still tries to load them even if you deleted the visible stuff). Morze re-creates the EXEs and shortcuts, so if you delete them without getting rid of Morze...
It also seems to install other crap like ClearSearch and EZula. As a bonus, it looks like it interferes with Ad Aware, and maybe Spybot.
Last weekend, I went over to a co-worker's house to try to get his 'high speed' dialup connection working. I spend three hours manually removing accumulated spyware, mostly because I stupidly forgot my USB key with those on it. I delete something evil, and it breaks his winsock. I come back the next day armed with Ad Aware, Spybot, CWShredder, LSPFix, HijackThis, BHODemon, and my Microsoft security update CD. Spybot finds 641 entries (and this after I spent 3 hours removing stuff). I run Ad Aware next, and it finds another 300.
You name a piece of spyware, and he probably had it. There were at least 4 different toolbar programs installed. His active processes list was about 3 pages long.
After I got done with it, his 2GHz P4 was no longer acting like a P200 with a glitchy WinME install.
This this shit is a bane upon the Internet, and I fully support the public execution of those who create it. They're worse than spammers. I worship the ground Ad-Aware and Spybot tread upon.
Aside from the pop-ups one (which may be difficult to "guage"), all of these features could be good or bad depending on the circumstances. The logic being, IF it has a lot of icons, AND you trust the company, then it's still safe to buy.
OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.
Example:
Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.
I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.
And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Like many people, Garkfinkel is proposing a legislative solution to something that'd be better handled technically.
.Net also makes overtures in this direction. It will be a challenge for OS vendors to allow users to have this amount of control, without overwhelming them with so many choices they'll give up and just give full permissions to everythig (in the pattern of "I always run as administrator, because it's the only way to get stuff done"). But those challenges can be surmounted with skilled interface design.
(Legislative solutions are suboptimal/dangerous for many reasons. They are over-broad, in that they apply even to consenting adults who wish to engage in the behavior without meddlesome government oversight; cf prostitution. And they're too-narrow, in that they can by necessity only apply within the country's legal jurisdiction, whereas software distribution is an international operation)
Turn now to the second page the Pure Software proposal. The list of potential warning-labels it suggests is: Hook, Dial, Modify, Monitor, Popup, Remote Control, Self-Updates, and Stuck.
All of those things are basically technical features which a well-designed operating system could prohibit programs from using, without permission. The root of the problem is that even after 30+ years of software publication, most programs are still just completely arbitrary lists of instructions: once they're executing, they do whatever they do, and nothing can stop them.
The big exception there is that most OSes, at least, restrict programs on a per-user basis. A program cannot read or edit files to which the executing user has no permission. That's an important step, but one that Unix has had firmly in place since the 80s. As time passes, we need to go further: program priviledges should be restricted not just at the per-user level, but also at finer granularity.
When I download and install a program, I don't want just the option of "run it or don't". I should be able to run it, but without it being able to read any files except those it came with. Or being allowed to read files, but only if I pick them from a system-supplied dialog box. Or read any files, but not write to them, except in a directory I've chosen (and that it can't override). Or write files, but only in specific approved formats (such as those which can't possibly contain executable code). Similar kinds of restrictions suggest themselves for GUI and network areas (including the important points of "phone home" and "data tainting")
To a small extent, Java frameworks (like "Web Start") have attempted to do this, with a list of features the user can individually permit a program to execute. Microsoft
The best way to prevent software from doing something is to use software that prevents it from doing it. (As Lawrence Lessig said, the best and most effective laws for code are more code)
...why not do a similar thing for everyday software?
In commercial avionics there is a standard that describes the testing (and other) obligations for a software manufacturer. If you see a product certified to DO-178B level A, you know it can be used for a life-critical purpose. If you see DO-178B level E, you know they only slapped the label on something they developed without any formal development (and testing) process.
If software manufacturer are to be obliged to disclose the amount of spyware they distribute, then they should by the same account disclose how many bugs we expect them to distribute. Just make an-easy-to-go-through certification in order to disclose how well you've tested your software to meet the requirements, and you're in business.
C.
the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.
What's to stop someone from saying "This product may contain one or more of the following; ad-ware, spy-ware, automatic updates, and a chance to win $1,000,000"
That last item would be enough to entice most people to buy it anyway.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
With all of these icons, will there even be ROOM for the logo on the Windows box?
This should go for electronics too (especially items such as DVD players etc that have embedded software)
But where is DRM? Thats the most important label of all, and the description of the label must _not_ include the words "Digital Rights Management" which is simply PR crap for "restricting what you can do"
This comment does not represent the views or opinions of the user.
What ever happened to caveat emptor?
If you don't know what you're buying...don't buy it.
I have discovered a truly marvelous
Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers.
So this guy really feels that employers who monitor company computers are spying on their employees? Should closed circuit cameras be taken down to prevent spying on employees? It's a company computer... they can load whetever software they like on it!
.:diatonic:.
I like the idea in principle, but see plenty of problems in it's practical impelementation.
.deb or .rpm package in your Linux system had a spurious GUI component, just to comply with a well-intentioned but poorly-considered law!
As described, the proposed law would hard-code the concept of using icons to disclose this information. What about fundamentally non-graphical programs (drivers, daemons)? What about overall non-graphical environments (servers, embedded)?
I fear this scheme would further what is already an increasing problem: that everybody wants to attach a GUI to every program, even if it's totally inappropriate (e.g. printer drivers). The proliferation of spurious GUI interfaces leads to the proliferation of inappropriate design choices in exception reporting (pop-ups instead of log files), configuration methods, etc.
I'm not anti-GUI, by the way. I'm anti-inappropriate-GUI, and I fear hard-coding icon requirements into every piece of software makes this trend even worse. Immagine if every
On the other hand, I would definitely like to see these icons displayed on the labels of software packages and disks, or on the web pages that software is downloaded from.
Oh, and something the article didn't mention, but I'd propose this ammendment to the act: Make it hard to add any additional icons (i.e. to make the program behavior worse) in upgrades. If any icons are added, the vendor must either (1) continue to support the old version for future bug fixes, security patches, etc., or (2) refund the purchase price to buyers who choose not to continue using the product. (Obviously, there'd have to be a time limit, but long enough to prevent the use of "incrimental-spyware" as a bait-and-switch technique.)
The labels in the article are indeed negative. There is a strongly perceived difference between "This product does something you might not like" and "This product behaves well."
Use and enjoy!
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Hmmm...I don't know that I want to work that hard. When I install a new program, I usually don't know very much about it, so it would be rather hard to tell what behaviors are needed. I am a geek, so I could probably get it right most of the time if I took the trouble. Same would be true of reading the EULAs. But most software users are not geeks and letting them pick and choose the options that you suggest seems entirely unworkable regardless of the UI. It might work for you, but it would be a disaster for most.
But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity.
To agree with you, I'd have to accept that popularity, and not design, is what creates security flaws. No, sorry, I'm not buying it. Netscape, with it's 6 major vulnerabilities that have long since been patched, I can sit here and surf all day without picking up any malware. Windows is the problem, and IE is the enabler, if you will. I'm going to be switching our network workstations over to Netscape, and EULA-be-damned, I'm going to find a way to cripple IE.
Fred
"A fool and his freedom are soon parted"
-RMS
For downloaded programs, how about putting the warning label on the installer's EULA screen, above the fold? (The "fold", in human interface design, is the first line of text not visible in the initial state of a scrolling text box.)
Lets say Netscape was THE browser to have. Do you think anyone would be bothering to write IE exploits?
Your argument is based on the premise that IE and Netscape are the same in terms of design. Netscape/Mozilla can't be "hijacked" in the same manner because it doesn't use Windows' registry classes to determine what to do with a downloaded file, and it isn't integrated with the Explorer shell. A Netscape browser window instance can't be silently started (without a "head"), and a new filetype can't be opened without the user knowing, or taking action. Likewise, Sun Java and Javascript is limited to things done inside the browser, it doesn't have access to the rest of the operating system.
But disabling IE is not the answer. I predict within a few weeks of you doing this you are undoing it for some higher ranking manager. Then his buddy will find out, and so on. Soon you are supporting not 1 browser but 2. HAVE FUN with your crippling!
Obviously, I can't completely remove it, that would break Windows. I want to use it as a tool for running Windows Update, but I will have to make exceptions for certain trusted sites. It won't be my undoing because my superiors are well aware of the problems that malware causes, and would be happier without pop-ups and system instability. I'm not doing this in secret. I've explained to them the reasons, the effects, and the exceptions where some may have to use IE.
Make the people who are making your job misserable RESPONSABLE for their actions.
I can't go Stalin on my network users. Where there are standard configurations, we use DeepFreeze to restore the computers to the original configuration. Unfortunately, we can't use this everywhere, because it is to inflexible for the users with non-standard configurations.
Fred
"A fool and his freedom are soon parted"
-RMS
I now understand why USA citizens are so fat.