Slashdot Mirror
NYS Senator Suggests Criminalizing Spyware
putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)
I'd be more interested in something that took a dig at the EULAS, in the grand tradition of protecting silly people from themselves. This bill looks like do-nothing election-year fluff. Were I a New Yorker, I'd tell this fellow to go back to the drawing board and try again.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Because the law will be overly vague, and the next thing you know, you'll be going to jail for writing software which has online updating.
LWN ran a story about the Utah anti-spyware law last month. A number of parties objected, but don't appear to have any legitimate grounds for complaint. The law doesn't ban spyware outright, but requires that spyware explain to the user what it will do, and obtain the user's consent before doing it. Only naughty people/companies should have a problem with that.
The LWN story links to an excellent analysis of the law by Benjamin Edelman.
...do not send the right message. Bunch of feel-good politics.
Seems like the problem here is "explicit approval". I have personally witnessed people who just answer "YES" or "OK" to anything and everything that pops up on their screen - are they not giving explicit approval? They may be signing away their first born in a paragraph you have to scroll down to see, and they would never know.
William Stephens
MCSE,MCDST,Well Respected VBScripting Guru
williams007@yahoo.com,(212)275-4831
I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.
I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding. I don't think it should be possible for a user to be legally bound to an agreement that they might have missed by too quickly clicking a "Yes" button.
This effort from Congress will work very well. After all, they have a good track record. The day Bush signed the "Can Spam Act", the spam shut off; haven't seen any since.
Don't blame Durga. I voted for Centauri.
How many people just click "OK" when the annoying messages appear? Is that considered "explicit" approval? Will there now be more annoying user agreements to read through? Most importantly, will the Windows error report thingy now be illegal?
They can't pass a friggin' budget on time for like 15 years in a row but some Senator gets pissed off by Gator and suddenly lets do something. While I appreciate what he's trying to do there are more important things.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
What if I sneak into a Big Company's computers without their knowledge, using a hacking tool masquerading as a harmless program, or perhaps piggy-backing on a "legitimate" application, and then hide there, secretly reporting traffic and even keystrokes back to a central server? Let alone if I do it sloppily, slowing them down, crashing them, popping up distracting windows all the time?
I think I'd go to prison, don't you?
Why, I think there are some laws against doing that.
Now, switch Big Company with some anonymous little guy. And we debate about whether or not it should even be specifically against the law... Hah.
Want to Know How to Cheat the GPL? Read On!
...he means Microsoft Windows(tm).
i saw this while browsing the tldp.org lists. how bout this link for the Linux Documentation Project. Would the law make Linux documentation illegal?
I run a network with about 300 Windows PCs on it and our staff has had such a hard time with removing this crap. I applaud this movement because i never thought i'd see something surpass the annoying presence of viruses on Windows. Spyware is now our number one threat of individual system stability, and generates so many support calls it's not even funny. while we're on the subject- anyone run a network and successfully automate spybot s&d ? we run it by hand, and never have had time to dig and see if it could be runnable via cmd arguments so we could streamline this whole deal with the logon scripts.. such as auto-immunization. i looked at all the docs, and it doesn't say anything about that kind of stuff. any help would be appreciated
The test would be to see what sort of thing the user has to click to agree to use the spyware.
If its a 30 page EULA, with a 'next' button, then it is not explicit approval.
If its a large dialog box that says "Do you wish to provide Company X with personal information", and lists what info it will send, then that is explicit.
If someone files a complaint under this law, and the spyware does not comply with the appropriate standards, then the company pays a fine (income for the state!), and possibly jail time.
END COMMUNICATION
... protecting stupid people from themselves.
All of these legal measures, this one and the bill in Utah
that someone else has mentioned are band-aids applied
to the sucking chest wound of the fact that the
average 'Net user wants all the freedom of going to
any site in the world and downloading anything he/she wants
and none of the responsibility of intelligently choosing
said content based on a solid understanding of how information technology actually works.
Call me elitist if you want to, but the scary thing to me about this idea
is that it will give lazy idiots (the people who still call themselves Newbies after using a device for years)
another disincentive to actually gain some knowledge of the tools they use and take for granted every day.
So, if I send 1 bit per second for a year, is that more okay than sending 100 kbits per second for 1 second?
Also, if I send 1 bit every 100 seconds, can I round off and just call it 0 bits per second?
> Doesn't sound like it will catch most of what we call Spyware.
I'd have to agree. Spyware is any software that installs, either with or without permission, to monitor the user and relay information to third parties, for the purposes of selling merchandise or services. Spyware runs in the background, and is difficult to uninstall, or breaks other programs when uninstalled.
The dangers of knowledge trigger emotional distress in human beings.
block all outgoing access to weatherbug.com, the 2 ip addresses used to show weather reports through weatherbug (I forget which ones, just run tcpdump to see them), and block the other major spyware (webshots, kazaa, etc). Then, you will have control adequately (and for those that think you can just cut admin access, try running autocad or something similar (claimzone, etc) as a mortal user.
Bored? Why not join a decent mess
You might also, I don't know, image the person's drive; when they screw up the machine, restore the image instead of trying to "clean" it. That way you only spend a few minutes dealing with that, and they get the reinforcing pain of losing all their personalized settings. After doing that a few times, they'll figure out that downloading CRAP is bad.
Yeah, right.
So if my keylogger drops all the spacebars then I'm home free, thank you sir!
--
stupid /. won't let me quote all caps
Wouldnt this make it illegal for companies like adobe, to include spyware like anti-piracy measures in their products?
""without obtaining explicit approval from the user" should be ammended to saying : "without obtaining explicit approval from the user, recieved in writing, via postal mail, prior to installation of the 'reporting'(spyware) components. Choosing not to install 'reporting' (spyware) components, shall install a fully functional time limited DEMO version of the software, for end-user evaluation."
There it is, hog tie the bastards who wish to include invasive 'features' in software. Force them to provide a testable product, stripped of spyware, and allow the market to choose if it is stupid enough to send in a snail mail asking for the spyware.
Is this stuff Rocket Science(tm)???????
McCain is a confirmed toady of big business. He'll never let anything that might inconvenience his patrons become law.
Hey JeffK. I miss your updates. If you actually signed on with a real Slashdot acct, I would add you just so I could read more crazy shit like this!
Ok so what exactly is 'spyware' (rhetorical question)? It the 'customized' netscape/IE browser my ISP made me install (for a 'superior Internet experience') considered spyware?
This has to be some of the "best-worstest" display of grammar and structure I've seen in a while. Bravo Trollie! :bad command or file name
The greatest hindrance to success is a well-rationalized excuse
Why would Sen. John McCain (R, Arizona) be able to block a bill in the New York State Senate?!
STOP MISUSING APOSTROPHES, YOU MORONS!!!
And also make it part of the law that the "I agree" checkbox be OFF be default.
That alone should protect most people.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
The solution lies in users educating themselves on the vulnerabilities of their web browsers and the consequences of software that is distributed with AdWare. I work at a university and my department is responsible for dealing with the residential networks and their users. We often have to shut down users who become comprimised and start spamming the hell out of people. Often times a student will look at me and say "I didn't know something like this could happen". Well my office is taking a new direction next year. Including a class held weekly on securing your computer and not downloading that hot new "Osama Bin Laden" game you saw in your buddies AIM profile. I think the legislation will be used to do more harm then good. Software accountability would be nice, but will never happen. The users need to begin to realize that the powerful piece of computer has the potential for bad as well as good. And they'd better learn to control it.
-----Zephyre
Yo, I know that Bloomberg is pushing for an extension of the #7 subway to the west, but not *that* far west.
McCain don't have much clout in Albany. Now, you wanna go off on Sheldon Silver, be my guest.
If I used Windows, or all sorts of windows apps, I'd want them to spy on me to see if my latest security patches were up-to-date. I think your average windows luser will _want_ to know when he needs an upgrade of certain software.
Spyware I fear most is that that actually does spying - i.e. steal credit card number, passwords, keystroke-loggers by-employers-who-don't-keep-the-records-safe-so passwords-get-stolen-from-their-logs, etc
Some things that probably meet the such a broad definition of spyware -
Windows XP
Windows Media Player
Internet Explorer
All of these programs transmit personal information without your consent (sometimes this depends on your patch level and the virus du jour as well). That being said, as soon as you turned the computer on, or opened the shrink wrap you accepted the EULA. Thus you explicitly accept that your personal information will be transmitted. The same types of wording are in the EULA's often accompany spyware that people install. In the end - it's probably a mute point. Personally I think it would be more important to look at EULA as a whole and how they are used to take away the rights of consumers, as well a shield companies that knowingly sell out defective software.
cluge
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
One problem with spyware is that it is not produced and distributed in "good faith." To some extent, so is Windows Media Player, for example, so, if spyware is deemed illegal, there is a good chance for unintended consequences. Are the odds good that the legislation will be specific enough?
Vote in November. You won't regret it.
does this mean that down the line that the profiles being made on me via shopering reward cards, and other membership related cards are going to have to be disclosed to me as well?
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
One of my clients called me up after I did a spyware sweep and clear of her machine. She said, "What happened to my Incredimail?" I replied, "It's spyware, and it's part of what's going wrong on your PC." "Oh, well I was using it and I had some emails saved on it. A friend of mine recommended it to me, she said it was great!" I reinstalled it, and sure enough she called back to tell me her machine slowed down and her popups increased threefold. Sighhhhh...
6. IF SUCH DOWNLOAD SHALL ALTER THE SPEED THE COMPUTER TRANSMITS DATA AND IF SO WHAT SUCH ALTERATION SHALL BE IN BITS PER SECOND.
Note the non technical term speed to describe bits per second. Downloading doesn't alter the rate your computer transmits data, it depends on bandwith capacity.
We need to inovate, not litigate. Spyware protection should to be built into the computer not regulated by the government.
Quiz users instead of allowing them to hit OK and YES. True or Fasle: We will hijack your system resources
You Sir,
Are so correct!
I wish folks would look for other options before getting the Legislatores(sp?) involved! They will only pass laws that will further their career one way or another! Or, as you have suggested, add on to laws to further agendas of their campaign contributors!
that we are well off by letting each member of a community act in their own best interest. It's hard to see how the spyware authors' best interest serves our internet community as a whole. Therefore the spyware author's self interest must be an important step in the growth of the internet and our own claims of personal freedom. If you care enough to not be watched while you surf or use, you will make sure your computer is not host to any spyware. I can say I don't have any spyware and if you really care, you can say the same!
Quiz users instead of allowing them to hit OK and YES. True or Fasle: We will hijack your system resources?
That's what we(US) are. Get used to this shit!
Yes sir!
it's small as laws go, but I saw a glaring loophole here:
SUCH COMMUNICATIONS ARE COMPUTER FILES THAT DISPLAY
7 ALL OF THE KEY STROKES THAT A COMPUTER USER MAKES.
some goon spyware shop just eliminates the letter q or h or a few more, they can slide by and still easily read the keystrokes for most purposes. Should be struck and changed to ANY keystrokes instead of ALL keystrokes then.
Besides that it's an attempt. Hard to describe spyware though legally, isn't it? And what's data, personal data? Say I don't want ANYONE without my permission (and paying me a fee and getting a license) to be able to identify my architecture, operating sytem, etc. I could call that personal data, and it is really. whoops, just wiped out the ole intarweb there.
Maybe a better way. I dunno, let the smarter guys chew on this one.
Make it illegal to transfer any data in or out of my box without the permission-granted by me by a normal http or similar transfer protocol request from the box itself, or by a signed digital signature granting license for specific services, said license being avaialable by a certain request, the "ping of what's cool to do or offer" request we'lll call it before it gets mush mouthed. Doing it, transferring unwanted data in or out of my box with an executable won't matter than, it will be covered if it hasn't been licensed in advance by MY license, not theirs, as well as any external flooding, overflow attempts to get root, whatever. Seems like it would anyway. Simple,to the point, covers most anything illegal. That'll cover quite a bit, and also make all unsolicited email illegal as well.
OR, bring back dueling, make it legal
OR, pass one law, every 20 years all politicians are fired, they may never hold any elective or appointed office, nor may they be hired-on to government, no work as a lobbyist. along with that, all previously passed laws are null and void, a national "jubilee" (in the classical/historic sense) is declared, and we start from scratch all over again with the basic bill of rights and constitution.
Solve all this crap every 20 years painlessly. Every generation should have their own chance to screw up equally, I say.
So now I request browser type and IP address as hidden form inputs for my blog (i.e. - gather user information without their consent) and they can throw my happy ass in jail... great...
I think it should be criminal to create a program which resists being uninstalled by the owner of the hardware on which it was installed, regardless of whether or not the owner accepted it EULA.
Lagito ergo expectabo
Instead of a new law, where the cons by far outweight the pros, from being overly broad to being ineffective because of EULAs, how about a technical solution?
One solution would be a browser plug-in that checks a central database for spyware "signatures", similar to anti-virus software. It would then warn you whenever you downloaded spyware, with a link to more information at the central site.
The primary reason spyware has become prevailant is because user's are unaware. The law is not going to accomplish this, and never be nearly as effective as a technical solution.
Remember when they wanted to make cookies and pop-ups illegal? Browser technology made it possible to deal with them, so the user had choice, control and freedem, without the need for a law.
I am honestly trying to think of ONE good Internet law that passed that was effective at accomplishing its goals. Is there one?
Open Standards Portal
Spyware relies on being bundled along with software that would otherwise be at least almost legitimate.
If these companies want to continue to do business in the USA and sell products to U.S. customers, they will have to think twice about continuing with producing spyware or doing business with spyware companies.
That'll reduce 99.9% of posts here to -1 scores. At least it'll make the pro-MS and Windows posts easier to find, I guess.
Well I hope this (the issue, not this particular proposition) doesn't die due to party politics. It would be a shame to see the republican congress (house and senate) decide to support the idea to "let the market sort it out".
------
[insert funny
Just add the 'notice' in the EULA/click-thru. No one reads them anyway.
Besides, im sure its illegal in another way, no need to pass 'yet another law' to make something illegal x2.
---- Booth was a patriot ----
I beg to differ. You are more like the queen. If fact, you are my queen. Now, get in the kitchen and fix me some dinner, bitch.
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
It is easy to keep legal on this. For every packet containing personal information or computer usage data do popup window kindly asking for explicit user approval... Ehm.
Well, every time I see some computer related legal problem of the yankee culture provenance I realise the legality is a very poor replacement for reality.
There you are, staring at me again.
I agree that if the bill was worded in a better sense to defend against the EULA loophole then it could work. The reason why most of these tech laws don't work is because there are too many nerds b*tching about it and not joining the government. Truth is the government may have the hardware, but not the software to fully utilize what they have. Then again maybe the word "law" isn't a cool enough buzz word for the youth of America.
3. IN PLAIN LANGUAGE IF ANY SPECIFIC DATA SHALL BE TRANSMITTED...
and, later...
S 4. This act shall take effect on the first of November next succeeding the date on which it shall have become a law.
Senator Baloni, what the fuck?! I have a Ph.D. from DeVry Institute of Lower learning, and even I know that means November 1, 3024...+/- a year. Right?
I'd like to see a couple more changes, something similar to the following:
1)Any GUI program which has the ability to transmit information over the internet without explicit action being taken by the user should have a standardized graphic warning dialog box, similar in appearance to the "US Surgeon General's Warning." This warning should say: The program must also include a WARNING.TXT file as described below.
If the software is run through a command-line interface or other interface which precludes the production of the standardized graphic, then it shall be sufficient for it to include in its installation package a file called "WARNING.TXT" which states, "The program you are about to install will transmit information over the internet without any enabling action being taken by you. Installation or usage of this program is deemed acceptance." This text file should preferably, but optionally, also explain the reason for needing an internet connection in plain language.
If the software included as part of a package or operating system, then it would be sufficient for
there to be one standardized graphic warning which is produced at the installation of the package and one WARNING.TXT file which names the individual files with internet capabilities.
Note, programs which only send information over the internet when expressly commanded to do so by the user are not required to have a warning of any kind.
Second: All EULAs should have their terms spelled out in a separate text file called "EULA.TXT" which can be read or printed as a standard text file on the target system. If the program comes with a hard-copy instruction manual which is over four pages in length, then the EULA must also be printed in the manual.
Any software which should have the standardized graphic warning dialog box, WARNING.TXT and/or EULA.TXT and doesn't would automatically be deemed in violation of the law.
Here's the thing. Even without such a law being passed, responsible coders in the OSS world could start to institute similar provisions. Eventually, one would hope that people would come to expect the appropriate warning image or file in their software, and would be wary of software which didn't have it. Of course, I wouldn't expect my exact suggestions to be implemented, but it would be better, in my lay opinion, for coders to organize a reasonable standard than to have the government impose something unreasonable upon them.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
I remember when cookies were first implemented by Netscape. I also remember when the first banner ads appeared on yahoo. People could boycott those sites. I remember when slashdot didn't have ads.
And at every step, somebody complained, loudly, that this was the end of the world.
Maybe it's not a good thing that doubleclick knows just about every news article I read these days. Maybe it's not so great that those news articles are crammed between (blocked) ads.
But you know what? Those are mere trivial annoyances to these "drive-by installers" (discussed this morning on c-span with a guy from the FTC) that use known security vulnerabilities to install themselves on my mom's computer to pummel her with pornographic ads. Fortunately she's a Mozilla convert, but the fact remains -- sure, tracking cookies are unnerving, but it's not like the full-on assult against consumers that's going on now.
The features I get because I use cookies (like being able to stay logged in to slashdot) or accept advertising as a form of revenue (like the fact that slashdot even exists [though I do block the ads]) are acceptable trade offs. Hotbar, gator, and the myriad of other spyware tools offer absolutely NOTHING but annoyances. Nothing.
OK it wouldn't be full proof when people got used to it, but the OSS game Eternal Lands simply put a note in the middle of it's EULA pointing out that if you don't change the contents of one of the files (and of course, what to change it to), the game simply won't work. The only way you can find this out is by looking through the EULA.
Eh, so what. Before I left, I pissed in your coffee maker.
The Last couple of days I been thinking about seriousy getting up of my chair and going and filling some lawsuits against several companies that make those stupid toolbars etc. Those fscking things take over the target computer so bad, that you have to go through 20 different steps so you can get rid of the damn thing. Some of them will take over your startup page, and keep changing it back to itself, no matter if you change it to something else. So how is this not a virus and how is this not hijacking? I WANT BLOOD!
You can't really stop spyware with illegalizing it. It comes as a addition to a programm your average Windows-users want to install. So it's their fault if they also install features that they do not want. And what's the difinition of 'spyware' anyway? Is the Windows media player spyware because it transmits your UID to Microsoft? Is Windows XP spyware with all this activation stuff? First, there has to be a clear definition of this term and it's uses. Then there might be some kind of strict and standardized guarantee or approval that the original distributor of a proprietary software product doesn't use additional features of tracking users and uses. Then a company can be held reliable if they infringe with the rules of an standardized "spyware-free"-label.
But alas, no law can stop users who have the habit of double-clicking everything clickable, be in their Outlook in-box, their desktop or on some local network share.
There's only one way to stop it: education for users that happen to have a computer just by incident but don't understand a thing about it and are happy without having to read manuals or EULAs
In Europe there was a huge problem with camouflaged dialers that establish a connection to some over-priced service-providers charging as much as $35 per call. Only after the media got interested in people who got an devastating phone bill, politicians got aware of this problem and illegalized certain numbers that dialers use. Lots of loopholes are still open, but just the media coverage and the discussion about illegalizing a certain telephony service sensitized the average Windows-user that dialers is something they don't want and double-clicking unknown objects can indeed have a real-life effect.
1) Convince the US goverment this is a multi billion dollar reveneue source that is untaped. This would pass in a heart beat.
2) Create Balastic Armor for this occurance. Simular to explosive charges on some tanks. When it pop up, it terminates the popup and send a legal Hard Drive data eating viris back to the host system.
3) Or when I click on "Ok". They agree to deposit 10,000,000,000 per month in that user bank acount for the next 10 years. All comging from a escrow fund.
4) They must fund a cleanup fund that would pay to have there junk removed.
I get so sick of seeing the count on Ad Away and others go triple and one in a while go 4 digits due to this junk working on computer that have either slowed down or crash.
Uh, how about approval from the authoritative owner of the freakin MACHINE?
Little Johnny six-pack breaks into your house, shoots you in the head, sits down at your machine... and is now THE USER, and would have authority to consent to such trash.
Think of a corporate layout, for chrissake... end-users have the authority to grant such permission?
BULL$#%. Such garbage language would preclude *any* ability to set policy by the guy who OWNS the machine.
help me i've cloned myself and can't remember which one I am
gota agre that it is fluff. The princaple of the bill is sound and probably stems from the original author getting something that he wanted mabie it was a web browser or what have you, it started braudcasting his professional email to SpamKing, wich is now abusing it. My guess is this is revenge 101, coupled with election year fluff.
I love spyware! 50 dollars a pop to run an anti-spyware program on computers is keeping me fed! Don't be a whiner, be an opportunist.
I'm generally sympathetic to attempts like this to get rid of spyware, but it seems to me that "computer usage" needs to be defined carefully in order to avoid criminalizing the collection of inocuous usage information. For instance, I once wrote a time series editor that was basically an interpreter for a specialized programming language, kind of like emacs. For a while, I collected statistics on memory usage and how many times the language primitives were executed and had the program email it to me on exit. The program printed a brief message about this on startup but didn't ask the user's permission. That didn't seem necessary since the resources used were trivial and no personal information was obtained. I've heard of other people doing the same kind of thing. This could fall under information about "computer usage", which presumably is intended to be restricted to information that the user might want to keep confidential, such as web sites visited.
It would seem to me (IANAL) that the DMCA would be quite unenforceable, but may send the right message to pirates and thieves.
Spyware is malware, pure and simple, it is unethical and now it may become illegal.
I want to control what enters and leaves my computer, I do not want web sites installing software without my ok or knowledge. When I click "No" on something I expect it not to install.
There are so many HTML/Javascript based Spyware programs out there it is not funny. I just ran into a JS_INOR.M Spyware/Trojan that Norton AntiVirus 2004 did not even know about nor could it remove it. Trend Micro's Housecall found it and I was able to remove it. It was in my temporary Internet files, so it was on a web page I viewed that installed itself. I was doing research for a college class of mine and the online library only works in IE, not Mozilla or Netscape, some site it linked to for an article I wanted to get installed this malware on my system.
BTW even Spybot could not detect the JS_INOR.M bug. So I propose that the Federal Government form some sort of Anti-Malware organization to share removal information about malware with other companies to make better removal tools. This is a serious threat and a good bulk of this malware originates from other countries that do not have virus, trojan, spyware, adware laws.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Tragically, that might result in a tremendous decline in new legislation.
At the end of the EULA is a random 8 digit number. You have to scroll all the way to the bottom to read it in the EULA. In order to accept the EULA you have to enter this number, or else the install fails. That will stop people from hitting "Yes" or "Ok" without at least reading enough to see the number they need to continue.
Also what about EULA on preinstalled software? Nobody clicked through the agreement, so how is it enforcable? Windows, MSWorks, MSOffice, MSMoney, MSScreenOtters, whatever was installed on the PC by the OEM. If it has Spyware, like Media Player, it is already there and no EULA clickthrough was done. What about those issues?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
How about we can the spam first and then work on other problems? The government isn't exactly known for handling multiple issues at once.
Reasons:
1) It's the obvious thin-end coming at us.
2) We can beat it with software, which is infinitely more user friendly than the machinery of cops and governments.
BTW: How valid is this assertion?
"If everybody has a cia in their pocket then everybody will have equal military might, so computers save the world."
If you criminalize spyware, only the criminals will have it.
just like the humble blood clot... turboporsche@telus.net
You see, with every other product on the face of the earth there is substantial precendent for what constitutes use and misuse of the product. If you decide to open a bottle of catsup with a stick of dynamite you will not find a court anywhere that will let you sue because you got hurt. However, if you install a backup program, never run it and lose all your data you probably can find a lawyer that will file saying the backup software company should have done something to prevent this from happening.
This is the legal climate that exists today. Doctors have to join large groups just to afford the malpractice insurance. Small companies need to have a full time lawyer on staff to review stuff and properly set up agreements. If you don't do this, you lose everything and maybe end up all working for somebody that takes over the whole thing.
I do not see any way to get away from every product published by someone with anything to lose having a EULA. Failure to do this will result in someone, sometime trying to get compensated for their perception of a failing. This goes equally well for free, open and even public domain software. There is no legal precedent as far as I know that says liability is limited to the purchase price or that free stuff has no liability.
I don't know any way out of the current situation other than revamping the entire legal system and maybe more. A few court cases where some precedent was established clearly identifying there not being liability except in cases of gross negligence would be nice.
There is a concept in law called unjust enrichment. It is actually a very old form of action, but it is kindof not used as a lead claim usually. The idea under unjust enrichment is that the defendant received a benefit which is unjust for him/her to keep. The cool thing about unjust enrichment, if the court buys it, is the plaintiff can get disgorgement of profits.
I am writing a paper this semester on a theory to sue the spyware companies. I even talked to one of the leading attorneys in the US in class actions - involved in such suits as the one against DoubleClick.
All the cases for online profiling have failed so far under federal causes of action - the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the so called Wiretap Act. I'm thinking a better route might be with state level actions such as trespass to chattels and unjust enrichment.
That DoubleClick case was interesting. The judge accepted a settlement agreement. One thing stipulated is that it covered all people in the US who had a DoubleClick cookie on their computers before some date in 2002. The other, get this, is that the attorneys got $1.8 million for "reasonable fees".
Now, who wants to pick an online spyware company and try again? I'm damn serious. If a case succeeded, it could make a career.
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
So, that describes RecentChanges on a wiki.
Should we have a check box, that you must press, before each submit to a wiki?
What does this mean for Slashdot- does it transmit personal computer usage data when my name page shows the posts I've made?
Sometimes, well, probably many times, EULA's break the law.
Well, kinda. They contain rules that if enforced, would break the law.
Software companies put anything into EULA's and they know that half the stuff in them is likely not enforcable. But you'd have to go to court and have a judge decide; a luxery that most people can't afford.
- It's not the Macs I hate. It's Digg users. -
On the good side, I *do* know that the telemarketers are taking their 'do not call or else' thing seriously, so maybe if this worked in a similar way it would cut down on spyware as well.
But this is too 'smooshy'. How do you define Spyware? Does Gator/Kazaa escape because they tell you they're installing spyware in their EULA fine print? Would it create major hassles for legit software utilities that run in the background because of predictably poor legislation?
It's almost like you need a council of nerds to deem software good and evil - kind of like we have anti-virus teams already that categorize and report on them. But, like everything else, the law will have to boil down to something lawyers and judges can understand and control.
Does it hurt to hear them lying? Was this the only world you had?
It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits.
If an unenforceable law sends any message, it is that laws can safely be disregarded. We all remember how Prohibition and draconian anti-drug laws helped to foster our current universal respect for law in the United States.
When all you have is an axe, everything looks like a grindstone.
Active X is perhaps one of the worst things ever invented. I work on computers for extra money, and I can tell you for a fact.....80% of ALL home computers are infested with Spyware simply because of ActiveX (Show me ONE linux box with spyware and I will kiss your bare ass on the courthouse steps at high-noon). When I work on a Windows PC, I always install Mozilla and make it the default browser, hoping to prevent this from happening again, and saving my customers money.
Get RID of ActiveX and a LOT of computer problems will go away.
LeXIf you are asked to agree to the EULA or not and hit yes YOU ARE EXPLICITLY AGREEING TO IT.
oh, i love taking care of it on a personal level. i printed business cards and everything... 35$ an hour. tons of customers. :)
Maybe this has already been pointed out (I'm too lazy to read the thread right now), but even a C-64 is an order of magnitude more complex (internally at least, not the UI) than most cars (not counting their computers), let alone the mis-matched hodgepodge of hardware and software that most people call 'My Computer'.
Oh, and if you start mucking around with you're car's internals, throwing in strange fuel additives (while the neighborhood kids pour sugar in the gas tank for good measure), and bolting on all sorts of accessories, would you expect warantee service?
********RANT***********
People expect too much for too little from their computers. It's a holdover from the days when only techies played around with 'em. Companies could offer free support because they didn't have to waste time/money on dumb asses who were either too afraid or too stupid to learn how their computers work. Not that companies are blameless. All you've got to do to outsell the other guy is say "Our computer's are easy to use and our support's always free". Sure, you do great for a while, then the idiots start calling, and you've got to do all sorts of nasty things to keep 'em at bay, and keep them from realizing you're blowing them off.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Of course new laws, like the old ones, will have little effect anyway since this crap mostly comes from overseas.
As an aside, Spybot and Adaware don't catch everything, like the one I had. Another good tool for a windows sys-admin's arsenal is Hijackthis (http://www.spywareinfo.com/~merijn/), kind of a better and much more complete msconfig. It requires some more understanding to use correctly, but it will catch stuff nothing else will.
The Internet functions like a jungle full of ninjas. If an unsuspecting user walks through there and gets assaulted by a ninja, her complaint might be "But that's illegal!" right before her head is separated from her body. In order to catch a ninja, you have to be a ninja -- you have to swing through the trees with the greatest of ease and slice his head off. To survive without being a ninja, you put on a massive suit of armor so that it's harder to slice your head off. It can still happen, though, so you need to know how to use your armor.
I'm being overly dramatic and overly metaphorical, so I'll make it simple:
You CANNOT stop spam, viruses, worms, phreaks, spyware, hacks, cracks, modchips, reverse engineering, social engineering, or DOS attacks by making them illegal. I'm not saying that all of them should be legal, just that our tax dollars should not go to writing laws about them.
You can ONLY stop these things by educating people on how to not get hurt by them. Because they are all a confidence game on the user's computer, and on the user themself, they can all be prevented, but only by intelligent users.
Our tax dollars should go to educating people about how to not get hit by these things. Every school should be given funds to educate children in such things as programming/scripting (the basics of which go hand-in-hand with what they're learning in math), security, the basics of how to generally use software (like how to use any email client, not just Outlook Express or Hotmail) as well as things like open source/Linux (teaches them something they can take home without begging mommy and daddy to spend $20-$200 on a new piece of software)...
Even outside of schools, people should know that you don't just go download some new piece of software just because it looks cool and some friend told you about it. You go online and look it up, find out how many people are using it and what they think of it, whether the company that made it is trustworthy, whether there's an open source alternative, and so on. If you still want to try it and it doesn't look trustworthy, you run it in an untrusted user account, throwaway wine setup, chrooted environment, usermode linux, or throwaway computer.
People should know what a web browser / email client is and why you need to use one that is standards-compliant and secure. They should know how to set up sandboxes to play with potentially unsafe stuff. They should know how to use PGP, or at least why they care. They should know that it doesn't matter who they are or how unimportant their stuff is, someone wants to break into their computer, especially if it's easy.
What's more, We have the money. We just have to spend it on the right things.
Don't thank God, thank a doctor!
Sometime, when I'm not as annoyed, I'll write an open letter to my congressmen about this. Naturally, I will continue to send the letter saying "you did not read my letter" if I get a form response saying something like "We are aware of the issues about Linux" when Linux was only a side issue.
Don't thank God, thank a doctor!
between a doctor and a computer programmer. I can choose to live without the services of a computer programmer. The doctor's services, on the other hand, I would categorize essential. But I think you'll find that in situations where software is essential for human life (such as you described above), there is liability involved. That's why those kind of devices cost tens of thousands of dollars. So in short, if your mother doesn't like it, she can just stop using the computer. It's not as though her life's going to be shortend by doing so. People need to take responsibility for their computers, or else alleviate themselves of it.
Oh, and that splash screen you mentioned, that's more or less an abbreviated EULA.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If some states already have these laws in place, why aren't the spyware people all sitting in jail? Even if they're outside the country they can be pulled in because they're sending info across the lines into these states and stealing it back, so there shouldn't be any excuse not to have the countries to ship them over and lock them up and throw away the keys.
That said, blocking sites at the firewall, setting up filtering servers, and everything else doesn't work 100% of the time. We've invested nearly $100,000+ in various security measures and our clients STILL get this spyware crap all over their machines. These sites and programs change faster than people finding them can block them. Even the most high end dedicated packet filtering systems with hourly subscription systems can't catch all this crap. It's a freaking MESS. And we're the ones who have to deal with it all in the end, or its our ass on the line when the execs who pull in $100k a day in deals lose thousands for being offline for just 10 minutes.
...just imagine someone putting a tracking device in your clothing that informs advertising agencies, thieves and robbers what your daily habits are, where do you go, how long do you spend there and what stuff do you read, listen to and speak to, what people do you meet, and not only what do you buy but what did you intend to buy checking your shopping list....
I don't the situation there in America, but here in Spain and in most of the EU, that block would end up in jail for a least a good ten years... besides the fine would be astronomical...
... y Dios vio que Linux era bueno... Genesis 99.666
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
Only one problem, the EULA probly would be written in such a way that you "give" permission or "agree" to them practicing the transferrance and collection of personal data. Or, the host that you are actually installing will probly have in their EULA that there are "partner" products that we agree to installing that may collect data to help "improve" your experience yada yada yada.
The best way to do this, would be to require you to approve each transmission on a transmission-by-transmission basis being able to inspect that data before it is sent, the the total collection of data that you have ever approved to be sent. But that'll never happen because this is America that would be violating the spyware vendors rights to "free speech" (in the form of you spoke it on the public Internet by doing what they spied, and they are speeking it by transmitting it)...
Thanks,
Leabre
N/.T
The ultimate network admin tool needs HELP!
It has been for far too long that unscrupulous people have been able to manipulate certain mechanisms on the net to advance their particular wants (For want of a better word). So it is my humble opinion that any moves (No matter how they are motivated) to generally protect on-line users, is a good thing. I have no doubt that there are many arguments for and against, but in general, I'm sure it's a good thing.
The Erogenous Zone
Face it, HTTP was never designed to do any decent session tracking. Yeah, there are ways to do it by embedding it in URLs etc., but they require a lot of effort on part of the server.
:)
If you want permanent cookies on my machine, I have to explicitly give you permission. That should in my opinion be the default. Personally, I'd much prefer to have a built-in password manager where I may explicitly log in if I want to. Or actually, I prefer remembering my passwords, but that's just me
Kjella
Live today, because you never know what tomorrow brings
I have heard before that many courts of law will overturn a contract if it can be shown that the user was coerced into signing it or was not in full possesion of his mental faculties when he signed it. Thus, if you are drunk and sign a contract, it may be possible to get that contract nullified by a court of law. The solution would therefore seem to be the practice of keeping a bottle of vodka near your computer and taking a couple shots before accepting each EULA. Since you were drunk, you can probably successfully argue that it isn't legally binding...
Most importantly, will the Windows error report thingy now be illegal?
...since the result is usually 100% identical. Admittingly, now their choices are usually "Send report" or "Don't", but in the past I've had many a Windows error that slightly paraphrased was something "Your machine just crapped out and everything you were working on will disappear, OK Cancel?"
Well, for crying out loud cancel it then. I want it all undone. But strangely enough hitting "Cancel" usually did a big nothing, as did "OK". It was time to hit the reset switch either way...
Kjella
Live today, because you never know what tomorrow brings
a bunch of other posts point out that windoze can be included in that description and most of them are +5 insightful or wahtever so how is this message a troll exactly??? i'll never understand the braindead /. modding system i swear to christ!!!
...is that EULAs are unreadable. Most people wouldn't understand them, and getting a lawyer to tell you what it says would cost you more than the software is worth by the time he's read the first page. And each one is different. You might as well force them to read a page of ancient Greek.
What there should have been is a standardized licence with standardized add-ons, kinda like the Creative Commons licence. Unfortunately, that'll never happen because those providing the EULA doesn't want people to read it or understand it, unless it would mean it'd be struck down in court.
Kjella
Live today, because you never know what tomorrow brings
In the short term, perhaps some media focus on this issue might prove beneficial. However, in the long term, all a bill like this would mean is a few more lines in the EULA of any relevant software. Perhaps if a bill like this required that said authorization had to be completely seperate from the standard EULA that more users just ignore and click next on - and obviously visibly so (I'm thinking, where possible, different colors and/or bold writing so that the user realizes that he/she isn't just agreeing to the standard EULA terms?)
just my thoughts
-d
6. "Intercepting or accessing of an electronic communication" and "intentionally intercepted or accessed" mean the intentional acquiring, receiving, collecting, overhearing, or recording of an electronic communication, without the consent of the sender or intended receiver there-of, by means of any instrument, device or equipment, INCLUDING THE USE OF KEYLOGGING COMPUTER PROGRAMS, except when used by a telephone company...in the ordinary course of its business or when necessary to protect the rights or property of such company."
any thoughts on waht implications this might have for progs like ettercap or ethereal?? is it too paranoid to imagine a netadmin being sued by a foremer/disgruntled employee for monitoring network traffic?
--kreweI saw it on Slashdot, it must be true!
RTFM..
The law will be come effective in May IF and only if it is not stopped by the WhenU.com countersuit...
-Think maybe groklaw will pick this up???
Laws DO NOT STOP illegal acts from happening.
Technical solutions don't STOP lawbreaking EITHER!!
Easy example:
Law(s) says theft is illegal.
Technical solution to theft: Better Locks, Fences, Pressure plates, Infrared Sensors, etc, etc, etc, etc...
Theft still occurs..
The ONLY people who gain from LAWS ARE THE LAWYERS!! AND MOST Legislators (Stae and Federal are LAWYERS)
This is a case of the WOLF IN THE HENHOUSE deciding which HEN TO EAT>>!!!
-jeez
Get a clue...
Quite often EULAs also add that if any portions of it contradict the law (in your area), then they are void, but the rest of the EULA is not. What this means is that they disclaim responsibility for breaking the law, pretending that it "doesn't matter".
Future Wiki -- If you don't think about the future, you cannot have one.
If you don't sign the dotted line then you're free to take your chances at paying rent while working as a cashier at McDonald's.
:-P
Hey, don't knock those McDonald's cashiers - I'm posting this from a McDonald's in Guatemala City. 30 minutes of Internet access free with every value meal. And the breakfast was good.
A modern OS should take a paranoid approach to any installed software. Every privilege that an application needs should be explicitely granted by the user. For example: it's OK to give a web browser permission to open connections on the internet but not to get access to a user's personal files. An application should only get access to files related to it. Most applications don't need an unlimited access. A user based system, while better than nothing, is not enough to solve the problem.
Trusting the author of every software we install has become impossible, so we need a solution that allows us to safely run software we don't trust and is simple enough that the average user can use it.
True warriors use the Klingon Google
Why can't they apply a law that says:
..." OK? Y/N , instead of hiding it in the EUL. They;ve done it with sigarettes...
if you have spyware in your program you should see
a big pop-up "THIS PROGRAM WILL SEND PERSONAL INFORMATION TO
Makes me wonder if a similar state could be argued for spyware (checking legislation required of course). If neither party where there are two or more knows things are being monitored or where you are the only party it seems logical to argue it is an illegal act.
read the senator's name as Michael Baloney?
Personally, I think spyware and adware should be categorize in the same group as wiretap law. Sending personal private information without consent is illegal. The law should apply here. In case everyone forget, all internet activities are over the wire (fiber, dsl/phone, cable) are over the wire - so wiretap law should take effects
If you bought a house without counsel, you're a fool. I'm surprised a seller or a bank would deal with you if you weren't represented (although it's possible) - it's an invitation to a lawsuit later if you decide you're unhappy.
The principle (which is an old, well-known one) is that legal shennanigans are against the law.
Contracts come in all forms: even verbal, even implied, but underlying them all is a basic principle of fairness - that you're not being tricked, that you're not being subjected to something non-standard, surprising, or morally objectionable.
For simple contracts, buying groceries, for instance, there is an ancient social tradition which allows us to skip formalities. If you buy food that turns out to be rotten, everyone knows the grocer will give you a refund or a replacement. If you decide you weren't hungry after all, everyone knows its your problem.
Quite a few things fall under this domain. Quite a few other things - real estate, for instance - don't. For more complicated transactions we have a prevailing sense that you must understand the contract you've entered into for it to be enforceable. That means that the contract mustn't be deceptive, but even more than that, it simply means you have to be comprably represented.
Cars, utilities, even credit cards perform according to a (theoretically) well-understood social contract. Inasmuch as the fine print on those transactions deviate from social norms, its the fine print that's probably illegal.
EULAs themselves - shrinkwrap, clickwrap, and otherwise, are largely an audacious fiction - because they are agreements where conditions are disclosed after a purchase, without comprable representation, and often with conditions that are surprising and outside of accepted social norms to say the least. You are wasting your time reading them, and insulting yourself and others by suggesting they stand uncontested. Indeed, there is straightforward case law that leaves the EULA as toilet paper (Step-saver Data vs. Wyse/The Software Link). Not all judges agree, but the principles are clear.
And believe me, we're lucky that's true. Otherwise, you can skip down the road of corruption, ignorance; ridiculous commercial standards are at the end of it. That's shitty for everyone, not to mention bad for your economy.
Not until UCITA reared its ugly head - in a time so recent as to still be measurable in months - did shrinkwrap have any bearing on you. (Are you still not sure if your government is for sale? Read about UCITA.) And even then I suspect that when any really onerous part of a EULA (and spyware is an excellent candidate) is tested in court, it could be the UCITA that comes out the worse.
How about spyware installed not at your computer, but on your Internet connection? At your ISP for example. Say... Carnivore?
And what if the thing enabling the spying is not reporting back to somewhere, but is just a way to get in?
Is intentionally weak crypto spyware? The NSA limited publicly available key length to 56 bits, explicitly because it's easy to crack, up until 1999.
If aspiration is a virtue, achievement cannot be a vice.
Again, it comes down to the fact that a majority of Americans as a whole are lacking any realistic sense of accountability for their actions. These individuals think that when something goes wrong they can blame the software engineers, the I.T. department, and the network guys for not maintaining a secure "infrastructure." Then, when we retrict rights and acces to prevent these users from inflicting damage to themselves and other local users they scream that we are retricting their rights. :P) I suggest he might want to pass legislation requiring every computer using citizen in the U.S. to take a "how computers work course," sign an accountability waiver when they purchase a computer, and require that manufacturers start including "Computers for Dummies" and "Networking for Dummies" with every computer purchase. Although this might sound absurd so is this legislation's attempt at allowing "stupid users" the luxury of not having any sort of accountability for their actions.
Before graduating from college I worked in an I.T. helpdesk position that responded to a variety of software, hardware, and network related calls. The majority of them were from n00b users who play games, check e-mail, and use MS Office applications. Not one had any clue of how computers actually work. They didn't understand that if everyone in a certain block of IP addresses were pushing fat DVD images over the school's network, that network spped would slow for everyone. Nor did they understand that providng their own information to ad agencies would incurr spam, nor did they realize that they might need antivirus software or a firewall of somesort, nor did they realize that their were uninstall features for the programs bogging down system utilization time, etc, etc, etc.
If the Senator from New York is going to attempt to pass legislation with as many loopholes, protection for the stupid-by the stupid, and give empowering rights to the government to do the same thing the legislation prevents (not that they do that now
Does that mean that putting read-receipt on an email would be a criminal act?
***You learn something Every day. And then you die.***
Furthermore, you're required to indicate whether the software can have adverse effects on the downloader's computer or any software running on it. Well, DUH - sometimes you can predict that it will (if you're doing enough testing) and sometimes you can't (because users have all kinds of software on their machine, well-written or broken, and may have different revision levels of firmware, hardware, operating systems, drivers, etc. on it.) Sure, some software authors are EVIL and setting out to cause havoc, but many people are trying to do Good Things that happen to use lots of resources.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
That doesn't mean that you acquire a relationship with anybody they sell your name to, but the law isn't called "CAN-SPAM" for nothing - it creates lots of conditions under which spammers can spam.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's kind of like saying "We've got the best Congress money can buy" - well no we don't! You should be able to buy much better Congresscritters than that!
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Obviously, I could never be a sysadmin at your shop, because I would make some people look like the clods they are when our uptime approached 99.9 or better.
Sounds like your sysadmins are the ones who should lose their jobs for costing the company over $100,000 for implementing a solution that doesn't work plus the cost of cleanup.When you move up to the big leagues (i.e., potentially losing thousands, if not millions of dollars in a matter of minutes due to a poorly-executed transaction, then maybe you'll see that whining "we can't tell the users we have to wipe their machine because it is non functional due to spyware!" doesn't work. Then again, that requires buy-in from the boys up top. If you haven't sold them on the opportunity cost (and savings), then shame on you.Yeah, right.
If you're going to write legislation that will (probably) affect all software (not just "spyware") why not require that anything being installed either:
- comes with a utility to completely uninstall the product being installed
- user explicitly agrees that the item being installed CANNOT be uninstalled without damaging the environment it's about to be installed into.
EULA's also don't mean crap. It depends on the court, etc. You can still take somebody to court even if you are under EULA, the same way that if you break your leg at the skihill due to bare patches you can sue, and win (most skihills make you sign a waiver which basically says they are not at fault for any injury).
Now, it may be that software isn't as well understood by most people for the purpose of suing, but nowadays where many many people have to deal with spam or popups I think that the concept of insidious spyware/malware is becoming much more well-known... enough that one of those companies could probably be nailed to the wall by an intelligent judge/jury (many of which probably deal with the same crap).