Slashdot Mirror
NYS Senator Suggests Criminalizing Spyware
putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)
LWN ran a story about the Utah anti-spyware law last month. A number of parties objected, but don't appear to have any legitimate grounds for complaint. The law doesn't ban spyware outright, but requires that spyware explain to the user what it will do, and obtain the user's consent before doing it. Only naughty people/companies should have a problem with that.
The LWN story links to an excellent analysis of the law by Benjamin Edelman.
I run a network with about 300 Windows PCs on it and our staff has had such a hard time with removing this crap. I applaud this movement because i never thought i'd see something surpass the annoying presence of viruses on Windows. Spyware is now our number one threat of individual system stability, and generates so many support calls it's not even funny. while we're on the subject- anyone run a network and successfully automate spybot s&d ? we run it by hand, and never have had time to dig and see if it could be runnable via cmd arguments so we could streamline this whole deal with the logon scripts.. such as auto-immunization. i looked at all the docs, and it doesn't say anything about that kind of stuff. any help would be appreciated
> Doesn't sound like it will catch most of what we call Spyware.
I'd have to agree. Spyware is any software that installs, either with or without permission, to monitor the user and relay information to third parties, for the purposes of selling merchandise or services. Spyware runs in the background, and is difficult to uninstall, or breaks other programs when uninstalled.
The dangers of knowledge trigger emotional distress in human beings.
block all outgoing access to weatherbug.com, the 2 ip addresses used to show weather reports through weatherbug (I forget which ones, just run tcpdump to see them), and block the other major spyware (webshots, kazaa, etc). Then, you will have control adequately (and for those that think you can just cut admin access, try running autocad or something similar (claimzone, etc) as a mortal user.
Bored? Why not join a decent mess
You might also, I don't know, image the person's drive; when they screw up the machine, restore the image instead of trying to "clean" it. That way you only spend a few minutes dealing with that, and they get the reinforcing pain of losing all their personalized settings. After doing that a few times, they'll figure out that downloading CRAP is bad.
Yeah, right.
Because if it's in bits per second, it can be compared to the overall speed of the host's internet connection.
Legally you're probably right. Once you sign the bottom line on a contract you're bound to it unless you can afford at least twice as many lawyers as the person holding the paper.
It's a shame, however. Consider employment. Because I'm a skilled intellectual employee the companies that I work for ask me to sign away all rights of ownership to anything that I do while I'm under their employment, _AND_ to keep them notified for up to three years of where I am and what I'm doing if I leave, _AND_ to agree never to use anything that I learned or discovered while employed with them to benefit any future employers. Strictly speaking, according to the terms of employee agreements, everything that I've done since 1999 is in breach of contract because everything that I do now was built on skills that I learned then. The only thing that saves me is that I'm not a big enough fish and haven't come up with any multi-billion dollar saleable ideas which would attract the attention of their legal vultures.
The US Constitution, specifically the parts about patenting of ideas and inventors retaining the rights to their invention, was written at a time when an individual wasn't dependent upon some communist corporate entity in order to breathe, eat, and have shelter and clothing. The spirit of those sections is being violated on a massive basis by every company in the US through employee agreements.
EULAs are similar. EULAs were written at a time when a few rich idiots lost their harddrives because they wanted to be cool and defrag their hard drive, didn't want to wait for it to finish, and clicked "cancel". Any half-savvy computer user knows that you don't take the disk out of the drive when the red light is on. I guess people thought that the basic premise of read/write integrity is negated by the invention of the "fixed disk".
All rants about incompetent users aside, though, the EULAs have grown to be in direct violation of basic codes of ethics with respect to product quality.
+++ATHZ 99:5:80
Why would Sen. John McCain (R, Arizona) be able to block a bill in the New York State Senate?!
STOP MISUSING APOSTROPHES, YOU MORONS!!!
And also make it part of the law that the "I agree" checkbox be OFF be default.
That alone should protect most people.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
The only gripe I have with EULAs is that they leave exception for companies to take pretty damned near any of your information once you agree to the EULA in many cases (not that they couldn't do that anyway, being closed source, but that's another topic of discussion entirely).
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Anyone opening a new internet access account should have to spend some quality time surfing here first.
Yes! Evil rules! Good can suck it! Suck it, good!
IANAL but but I do know that paper contracts work the same way. If you sign a lease or a loan agreement, there is no requirement that you actually turn the paper over and read the leagalese on the back. And if that legalese states that some other document is included in the contract, you don't have to read that, either. In fact, the other party does not have to make the included document available to you.
You can just blissfully sign the paper and not worry about it. If you should ever contest the terms of the contract and take it to court, the judge won't care if you read it or not. All he'll ask is if that's your signature and if you say yes, the case is closed.Okay, for those who are lawyers, there are some rights that you cannot sign away. And you might have a case if you can show that there was deceit involved.
But for the vast majority of simple contracts such as leases and loan agreements, all the details are spelled out and you can read it if you like, or not. Most people just sign, because if they don't sign, they don't get the new car or the new apartment. Same with software: you don't click "OK", you don't get to use the program. For most people, that's all that matters.You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
When I bought my house, I was handed a stack of papers connected with the mortgage, asked to read them, and then sign. The banker did not hold my hand and explicitly tell me anything bad that could happen. It was entirely my responsibility to sit and read those papers.
The mortgage doesn't require it, but your realtor is required by law to go over the paperwork paragraph by paragraph with you.
It took me over an hour with my realtor just to do the paperwork when I bought my house. Each paragraph was explained, and then I had to initial.
My mortgage wasn't as bad, they sent me a bunch of paperwork in the mail, I signed and initialed, and mailed it back in.
I agree, there is no way a EULA can be valid under contract law, although there are some factual errors in your post I should clear up. Oral contracts are just as valid as written ones. Of course, if there are no witnesses and the other party is willing to perjure him/herself, then you can have a problem, which is why signed papers are preferable. Notaries and witnesses are not required, they just (like having it on paper) make it easier to establish facts later if you have to sue to enforce it.
But EULAs lack any 'meeting of the minds', any compensation for the 'end user,' and any verification as to who the supposed 'end user' who clicks the accept button is, among other things. This is why they don't call themselves contracts, but rather 'licenses.' This dodge doesn't hold much water either, however.
Legally, you have no need for a 'license' to use the software you've already bought. (You would need a license to, for instance, create derivative works based on it, but not simply to use it.) So why on earth would anyone agree to one?
I've certainly never agreed to any such thing. I've occasionally pushed a button saying 'agree' or the like, simply because it's the only way to get software I own to perform it's function, but the act is certainly performed in those cases without any intent to actually agree to the 300 pages of legalese that I haven't even looked at. I daresay I'm probably a pretty mainstream computer user in that way. And I can't see how a court could possibly claim that this act somehow held any water as a legal agreement without ceasing entirely to be concerned or bound by legal traditions and principles and coming out in broad daylight as just a mouthpiece for the corporations and nothing more.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Of course new laws, like the old ones, will have little effect anyway since this crap mostly comes from overseas.
As an aside, Spybot and Adaware don't catch everything, like the one I had. Another good tool for a windows sys-admin's arsenal is Hijackthis (http://www.spywareinfo.com/~merijn/), kind of a better and much more complete msconfig. It requires some more understanding to use correctly, but it will catch stuff nothing else will.
The reason for the existence of the EULA is first and foremost the phrase that is in every single one about not being liable for consequential damages. Probably the second most important one is that you are not allowed to steal the product, or parts of the product and resell them independently.
That's pretty much straw-men arguments.
First, all you would have to do is a have a splash screen that said "copyright 2004 all rights reserved. No warranty implied nor given." That would pretty much cover the purpose of the simpler EULAs out there. If you were particularly worried about it you could ad the statement "Suitability for any purpose not guaranteed."
By doing this you do not require the end user to agree to an EULA, but at the same time notify him that you aren't giving him a warranty.
Probably the second most important one is that you are not allowed to steal the product, or parts of the product and resell them independently.
That's what a copyright notice is for You don't need an EULA to enforce this. Also, did an EULA stop all those warez people from copying programs that were caught in operation fastlink that we have been hearing about?
However, if you install a backup program, never run it and lose all your data you probably can find a lawyer that will file saying the backup software company should have done something to prevent this from happening. This is the legal climate that exists today.
I do not think so. The fact that people will sue over a cup of hot coffee being spilled in their lap doesn't mean that you require them to agree to sign a contract each time they buy a cup of coffee.
This is the legal climate that exists today. Doctors have to join large groups just to afford the malpractice insurance. Small companies need to have a full time lawyer on staff to review stuff and properly set up agreements. If you don't do this, you lose everything and maybe end up all working for somebody that takes over the whole thing.
Rather than hiring a full time lawyer maybe these companies need to use the money in improving their product so that it doesn't fail. There is a reason why doctors have to have malpractice insurance. it is to hold them accountable for their actions
Why should software companies be any different? What makes them *so special* that they feel the need to be let off the hook for *everything*. Other companies have to offer warranties and accept responsibility for the integrity of their products. Why not software?
If I'm hooked up to a machine at the hospital that is performing a function necessary to the health of my person and it crashes because it is running Windows 98 and subsequently hurts my health, I'm going to sue regardless of any EULAs that some software designer agreed to or not.
If Microsoft was held accountable for the products they make, we would have a lot less problems with trojans, viruses, and other malicious software than we due today.
I just finished cleaning a bunch of porn trojans off my mothers computer that were probably put there through a security hole in Microsoft Windows. She was absolutely livid, as she should be.
I don't know any way out of the current situation other than revamping the entire legal system and maybe more.
Nothing in the legal system says a piece of software has to have an EULA. Maybe rather than worry about reforming the legal system we should reform the way software is bought and sold. Maybe software companies need to be held accountable as to the quality of the products they make, rather than tossing an EULA on it thinking that excuses them for shoveling a load of crapware onto our computers.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
That said, blocking sites at the firewall, setting up filtering servers, and everything else doesn't work 100% of the time. We've invested nearly $100,000+ in various security measures and our clients STILL get this spyware crap all over their machines. These sites and programs change faster than people finding them can block them. Even the most high end dedicated packet filtering systems with hourly subscription systems can't catch all this crap. It's a freaking MESS. And we're the ones who have to deal with it all in the end, or its our ass on the line when the execs who pull in $100k a day in deals lose thousands for being offline for just 10 minutes.
If you bought a house without counsel, you're a fool. I'm surprised a seller or a bank would deal with you if you weren't represented (although it's possible) - it's an invitation to a lawsuit later if you decide you're unhappy.
The principle (which is an old, well-known one) is that legal shennanigans are against the law.
Contracts come in all forms: even verbal, even implied, but underlying them all is a basic principle of fairness - that you're not being tricked, that you're not being subjected to something non-standard, surprising, or morally objectionable.
For simple contracts, buying groceries, for instance, there is an ancient social tradition which allows us to skip formalities. If you buy food that turns out to be rotten, everyone knows the grocer will give you a refund or a replacement. If you decide you weren't hungry after all, everyone knows its your problem.
Quite a few things fall under this domain. Quite a few other things - real estate, for instance - don't. For more complicated transactions we have a prevailing sense that you must understand the contract you've entered into for it to be enforceable. That means that the contract mustn't be deceptive, but even more than that, it simply means you have to be comprably represented.
Cars, utilities, even credit cards perform according to a (theoretically) well-understood social contract. Inasmuch as the fine print on those transactions deviate from social norms, its the fine print that's probably illegal.
EULAs themselves - shrinkwrap, clickwrap, and otherwise, are largely an audacious fiction - because they are agreements where conditions are disclosed after a purchase, without comprable representation, and often with conditions that are surprising and outside of accepted social norms to say the least. You are wasting your time reading them, and insulting yourself and others by suggesting they stand uncontested. Indeed, there is straightforward case law that leaves the EULA as toilet paper (Step-saver Data vs. Wyse/The Software Link). Not all judges agree, but the principles are clear.
And believe me, we're lucky that's true. Otherwise, you can skip down the road of corruption, ignorance; ridiculous commercial standards are at the end of it. That's shitty for everyone, not to mention bad for your economy.
Not until UCITA reared its ugly head - in a time so recent as to still be measurable in months - did shrinkwrap have any bearing on you. (Are you still not sure if your government is for sale? Read about UCITA.) And even then I suspect that when any really onerous part of a EULA (and spyware is an excellent candidate) is tested in court, it could be the UCITA that comes out the worse.