Slashdot Mirror
NYS Senator Suggests Criminalizing Spyware
putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)
I'd be more interested in something that took a dig at the EULAS, in the grand tradition of protecting silly people from themselves. This bill looks like do-nothing election-year fluff. Were I a New Yorker, I'd tell this fellow to go back to the drawing board and try again.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Because the law will be overly vague, and the next thing you know, you'll be going to jail for writing software which has online updating.
Seems like the problem here is "explicit approval". I have personally witnessed people who just answer "YES" or "OK" to anything and everything that pops up on their screen - are they not giving explicit approval? They may be signing away their first born in a paragraph you have to scroll down to see, and they would never know.
William Stephens
MCSE,MCDST,Well Respected VBScripting Guru
williams007@yahoo.com,(212)275-4831
I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.
I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding. I don't think it should be possible for a user to be legally bound to an agreement that they might have missed by too quickly clicking a "Yes" button.
How many people just click "OK" when the annoying messages appear? Is that considered "explicit" approval? Will there now be more annoying user agreements to read through? Most importantly, will the Windows error report thingy now be illegal?
They can't pass a friggin' budget on time for like 15 years in a row but some Senator gets pissed off by Gator and suddenly lets do something. While I appreciate what he's trying to do there are more important things.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
The test would be to see what sort of thing the user has to click to agree to use the spyware.
If its a 30 page EULA, with a 'next' button, then it is not explicit approval.
If its a large dialog box that says "Do you wish to provide Company X with personal information", and lists what info it will send, then that is explicit.
If someone files a complaint under this law, and the spyware does not comply with the appropriate standards, then the company pays a fine (income for the state!), and possibly jail time.
END COMMUNICATION
... protecting stupid people from themselves.
All of these legal measures, this one and the bill in Utah
that someone else has mentioned are band-aids applied
to the sucking chest wound of the fact that the
average 'Net user wants all the freedom of going to
any site in the world and downloading anything he/she wants
and none of the responsibility of intelligently choosing
said content based on a solid understanding of how information technology actually works.
Call me elitist if you want to, but the scary thing to me about this idea
is that it will give lazy idiots (the people who still call themselves Newbies after using a device for years)
another disincentive to actually gain some knowledge of the tools they use and take for granted every day.
Wouldnt this make it illegal for companies like adobe, to include spyware like anti-piracy measures in their products?
Ok so what exactly is 'spyware' (rhetorical question)? It the 'customized' netscape/IE browser my ISP made me install (for a 'superior Internet experience') considered spyware?
A huge part of the problem is the omnipresence of those goddamn ActiveX objects.
I use Mozilla. I don't miss the "content" that oh so many of these objects supposedly allow me to access. I don't even know it's missing, most of the time. Most people get so many of these that they just instinctively click "yes," because otherwise something "might not work right".
And yet people are inundated by their scourge many times daily, "Do you trust this person?" Why should I, or anyone else, have to make a value judgement on the person (or company) who set up a web page just to view their content? I shouldn't.
You can blame MS for this mis-feature, as it's nothing but a crude hack for the inherrently insecure design in ActiveX.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Some things that probably meet the such a broad definition of spyware -
Windows XP
Windows Media Player
Internet Explorer
All of these programs transmit personal information without your consent (sometimes this depends on your patch level and the virus du jour as well). That being said, as soon as you turned the computer on, or opened the shrink wrap you accepted the EULA. Thus you explicitly accept that your personal information will be transmitted. The same types of wording are in the EULA's often accompany spyware that people install. In the end - it's probably a mute point. Personally I think it would be more important to look at EULA as a whole and how they are used to take away the rights of consumers, as well a shield companies that knowingly sell out defective software.
cluge
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
6. IF SUCH DOWNLOAD SHALL ALTER THE SPEED THE COMPUTER TRANSMITS DATA AND IF SO WHAT SUCH ALTERATION SHALL BE IN BITS PER SECOND.
Note the non technical term speed to describe bits per second. Downloading doesn't alter the rate your computer transmits data, it depends on bandwith capacity.
We need to inovate, not litigate. Spyware protection should to be built into the computer not regulated by the government.
You Sir,
Are so correct!
I wish folks would look for other options before getting the Legislatores(sp?) involved! They will only pass laws that will further their career one way or another! Or, as you have suggested, add on to laws to further agendas of their campaign contributors!
that we are well off by letting each member of a community act in their own best interest. It's hard to see how the spyware authors' best interest serves our internet community as a whole. Therefore the spyware author's self interest must be an important step in the growth of the internet and our own claims of personal freedom. If you care enough to not be watched while you surf or use, you will make sure your computer is not host to any spyware. I can say I don't have any spyware and if you really care, you can say the same!
Nice idea, but 82.7% of these things use plain ol HTTP over port 80 in order to go through firewalls (statistics pulled from ass).
it's small as laws go, but I saw a glaring loophole here:
SUCH COMMUNICATIONS ARE COMPUTER FILES THAT DISPLAY
7 ALL OF THE KEY STROKES THAT A COMPUTER USER MAKES.
some goon spyware shop just eliminates the letter q or h or a few more, they can slide by and still easily read the keystrokes for most purposes. Should be struck and changed to ANY keystrokes instead of ALL keystrokes then.
Besides that it's an attempt. Hard to describe spyware though legally, isn't it? And what's data, personal data? Say I don't want ANYONE without my permission (and paying me a fee and getting a license) to be able to identify my architecture, operating sytem, etc. I could call that personal data, and it is really. whoops, just wiped out the ole intarweb there.
Maybe a better way. I dunno, let the smarter guys chew on this one.
Make it illegal to transfer any data in or out of my box without the permission-granted by me by a normal http or similar transfer protocol request from the box itself, or by a signed digital signature granting license for specific services, said license being avaialable by a certain request, the "ping of what's cool to do or offer" request we'lll call it before it gets mush mouthed. Doing it, transferring unwanted data in or out of my box with an executable won't matter than, it will be covered if it hasn't been licensed in advance by MY license, not theirs, as well as any external flooding, overflow attempts to get root, whatever. Seems like it would anyway. Simple,to the point, covers most anything illegal. That'll cover quite a bit, and also make all unsolicited email illegal as well.
OR, bring back dueling, make it legal
OR, pass one law, every 20 years all politicians are fired, they may never hold any elective or appointed office, nor may they be hired-on to government, no work as a lobbyist. along with that, all previously passed laws are null and void, a national "jubilee" (in the classical/historic sense) is declared, and we start from scratch all over again with the basic bill of rights and constitution.
Solve all this crap every 20 years painlessly. Every generation should have their own chance to screw up equally, I say.
If a car does not behave as advertised, customers raise a shitfit and the company ends up eating a lot of their own dog food.
If software does not behave as advertised, that's par for the course.
As we say in Wisconsin, what the fuck?
I think it should be criminal to create a program which resists being uninstalled by the owner of the hardware on which it was installed, regardless of whether or not the owner accepted it EULA.
Lagito ergo expectabo
Instead of a new law, where the cons by far outweight the pros, from being overly broad to being ineffective because of EULAs, how about a technical solution?
One solution would be a browser plug-in that checks a central database for spyware "signatures", similar to anti-virus software. It would then warn you whenever you downloaded spyware, with a link to more information at the central site.
The primary reason spyware has become prevailant is because user's are unaware. The law is not going to accomplish this, and never be nearly as effective as a technical solution.
Remember when they wanted to make cookies and pop-ups illegal? Browser technology made it possible to deal with them, so the user had choice, control and freedem, without the need for a law.
I am honestly trying to think of ONE good Internet law that passed that was effective at accomplishing its goals. Is there one?
Open Standards Portal
Spyware relies on being bundled along with software that would otherwise be at least almost legitimate.
If these companies want to continue to do business in the USA and sell products to U.S. customers, they will have to think twice about continuing with producing spyware or doing business with spyware companies.
It's just unfortunately the way things go. Logic dictates that it should be the same for a car as for software. But somewhere along the tracks long ago they would have put that clause in, and most likely set a precedent somewhere.
Also there's the fact of multiple bits of software from a multitude of vendors interacting can screw up something royally, even if they apparently should work flawlessly. Sometimes its program logic thats skewed, sometimes library or call incompatability. Hell it could even be library incompatability within different revisions of the same software.
It should work with all the programs working to a reasonable set of rules. But people discover shortcuts and they like these shortcuts in the name of efficiency or laziness. Thusly computers are far more likely to shit themselves.
Then again i have had a workmate who had a warranty repair on a engine failure in his car (second time around in 1000km, still well within the 30,000km warranty) refused under warranty. Simply because the dealer advised him to go out and get a 2nd hand waterpump to make do as getting a genuine part in would mean his car was off the road for a month.
He rocked up after those 1000km's with a very broken car and was told to nick off as they cant touch it. Simply due to the secondhand part in it that could have caused the engine failure. It had nothing to do with their shoddy workmanship and having fergotten to check the bigend bearings as well as the top end.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
Just add the 'notice' in the EULA/click-thru. No one reads them anyway.
Besides, im sure its illegal in another way, no need to pass 'yet another law' to make something illegal x2.
---- Booth was a patriot ----
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
It is easy to keep legal on this. For every packet containing personal information or computer usage data do popup window kindly asking for explicit user approval... Ehm.
Well, every time I see some computer related legal problem of the yankee culture provenance I realise the legality is a very poor replacement for reality.
There you are, staring at me again.
You can't really stop spyware with illegalizing it. It comes as a addition to a programm your average Windows-users want to install. So it's their fault if they also install features that they do not want. And what's the difinition of 'spyware' anyway? Is the Windows media player spyware because it transmits your UID to Microsoft? Is Windows XP spyware with all this activation stuff? First, there has to be a clear definition of this term and it's uses. Then there might be some kind of strict and standardized guarantee or approval that the original distributor of a proprietary software product doesn't use additional features of tracking users and uses. Then a company can be held reliable if they infringe with the rules of an standardized "spyware-free"-label.
But alas, no law can stop users who have the habit of double-clicking everything clickable, be in their Outlook in-box, their desktop or on some local network share.
There's only one way to stop it: education for users that happen to have a computer just by incident but don't understand a thing about it and are happy without having to read manuals or EULAs
In Europe there was a huge problem with camouflaged dialers that establish a connection to some over-priced service-providers charging as much as $35 per call. Only after the media got interested in people who got an devastating phone bill, politicians got aware of this problem and illegalized certain numbers that dialers use. Lots of loopholes are still open, but just the media coverage and the discussion about illegalizing a certain telephony service sensitized the average Windows-user that dialers is something they don't want and double-clicking unknown objects can indeed have a real-life effect.
Uh, how about approval from the authoritative owner of the freakin MACHINE?
Little Johnny six-pack breaks into your house, shoots you in the head, sits down at your machine... and is now THE USER, and would have authority to consent to such trash.
Think of a corporate layout, for chrissake... end-users have the authority to grant such permission?
BULL$#%. Such garbage language would preclude *any* ability to set policy by the guy who OWNS the machine.
help me i've cloned myself and can't remember which one I am
gota agre that it is fluff. The princaple of the bill is sound and probably stems from the original author getting something that he wanted mabie it was a web browser or what have you, it started braudcasting his professional email to SpamKing, wich is now abusing it. My guess is this is revenge 101, coupled with election year fluff.
Spyware is malware, pure and simple, it is unethical and now it may become illegal.
I want to control what enters and leaves my computer, I do not want web sites installing software without my ok or knowledge. When I click "No" on something I expect it not to install.
There are so many HTML/Javascript based Spyware programs out there it is not funny. I just ran into a JS_INOR.M Spyware/Trojan that Norton AntiVirus 2004 did not even know about nor could it remove it. Trend Micro's Housecall found it and I was able to remove it. It was in my temporary Internet files, so it was on a web page I viewed that installed itself. I was doing research for a college class of mine and the online library only works in IE, not Mozilla or Netscape, some site it linked to for an article I wanted to get installed this malware on my system.
BTW even Spybot could not detect the JS_INOR.M bug. So I propose that the Federal Government form some sort of Anti-Malware organization to share removal information about malware with other companies to make better removal tools. This is a serious threat and a good bulk of this malware originates from other countries that do not have virus, trojan, spyware, adware laws.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
At the end of the EULA is a random 8 digit number. You have to scroll all the way to the bottom to read it in the EULA. In order to accept the EULA you have to enter this number, or else the install fails. That will stop people from hitting "Yes" or "Ok" without at least reading enough to see the number they need to continue.
Also what about EULA on preinstalled software? Nobody clicked through the agreement, so how is it enforcable? Windows, MSWorks, MSOffice, MSMoney, MSScreenOtters, whatever was installed on the PC by the OEM. If it has Spyware, like Media Player, it is already there and no EULA clickthrough was done. What about those issues?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
How about we can the spam first and then work on other problems? The government isn't exactly known for handling multiple issues at once.
You see, with every other product on the face of the earth there is substantial precendent for what constitutes use and misuse of the product. If you decide to open a bottle of catsup with a stick of dynamite you will not find a court anywhere that will let you sue because you got hurt. However, if you install a backup program, never run it and lose all your data you probably can find a lawyer that will file saying the backup software company should have done something to prevent this from happening.
This is the legal climate that exists today. Doctors have to join large groups just to afford the malpractice insurance. Small companies need to have a full time lawyer on staff to review stuff and properly set up agreements. If you don't do this, you lose everything and maybe end up all working for somebody that takes over the whole thing.
I do not see any way to get away from every product published by someone with anything to lose having a EULA. Failure to do this will result in someone, sometime trying to get compensated for their perception of a failing. This goes equally well for free, open and even public domain software. There is no legal precedent as far as I know that says liability is limited to the purchase price or that free stuff has no liability.
I don't know any way out of the current situation other than revamping the entire legal system and maybe more. A few court cases where some precedent was established clearly identifying there not being liability except in cases of gross negligence would be nice.
Regarding your car example: It's all about money. Warrant as little as possible, disclaim everything, etc. My late parents went through something similar when I was in college with their new car. All it took was a call to their lawyer, who gladly took it on contingency. 10 days later, they had a new transmission installed by the dealer, valued at $2500. The lesson is this: Know when to stick up for yourself.
C|N>K
Sometimes, well, probably many times, EULA's break the law.
Well, kinda. They contain rules that if enforced, would break the law.
Software companies put anything into EULA's and they know that half the stuff in them is likely not enforcable. But you'd have to go to court and have a judge decide; a luxery that most people can't afford.
- It's not the Macs I hate. It's Digg users. -
It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits.
If an unenforceable law sends any message, it is that laws can safely be disregarded. We all remember how Prohibition and draconian anti-drug laws helped to foster our current universal respect for law in the United States.
When all you have is an axe, everything looks like a grindstone.
Oh and there ARE computers where our 3d graphics products can cause blue screen errors. This is a result of the interaction between Windows, crappy drivers that misreport features, crappy 3d hardware that doesn't comply with spec, and our software. Who the heck do you hold responsible for this? It's all good and well to tell me that my software needs to be responsible, but if I write to the API that MS provides me (DirectX) and the hardware vendors don't provide drivers that comply, whose fault is it now? How do I make the users understand that? How the heck do you think these issues would work themselves out in court?
My point is that a car is a commodity item with a simple and straightforward user interface. The two most critical parts of the UI are "stop" and "go". The whole unit is tested and quality assured as a package by the manufacturer. If you add all kinds of aftermarket dingdongs to it, A) they are usually cosmetic, not functional, B) if they are functional, it's generally your fault if you've fudged it up. Computers are made to have people install software written by hundreds of different manufacturers on them, written to interoperate with often-fuzzy specifications and no central quality control process to make sure they all play nice with each other. And the more hardware-dependent an app is, the more likely there are to be a whole other range of problems with it. So no, it's not reasonable to hold software developers to the same standard as auto manufacturers because the nature of the products are so radically different.
If you want it to just work "as advertised" all the time, it better be a standardized hardware config with a fixed OS version, driver versions, and software installed on it, or you can forget about it.
The Internet functions like a jungle full of ninjas. If an unsuspecting user walks through there and gets assaulted by a ninja, her complaint might be "But that's illegal!" right before her head is separated from her body. In order to catch a ninja, you have to be a ninja -- you have to swing through the trees with the greatest of ease and slice his head off. To survive without being a ninja, you put on a massive suit of armor so that it's harder to slice your head off. It can still happen, though, so you need to know how to use your armor.
I'm being overly dramatic and overly metaphorical, so I'll make it simple:
You CANNOT stop spam, viruses, worms, phreaks, spyware, hacks, cracks, modchips, reverse engineering, social engineering, or DOS attacks by making them illegal. I'm not saying that all of them should be legal, just that our tax dollars should not go to writing laws about them.
You can ONLY stop these things by educating people on how to not get hurt by them. Because they are all a confidence game on the user's computer, and on the user themself, they can all be prevented, but only by intelligent users.
Our tax dollars should go to educating people about how to not get hit by these things. Every school should be given funds to educate children in such things as programming/scripting (the basics of which go hand-in-hand with what they're learning in math), security, the basics of how to generally use software (like how to use any email client, not just Outlook Express or Hotmail) as well as things like open source/Linux (teaches them something they can take home without begging mommy and daddy to spend $20-$200 on a new piece of software)...
Even outside of schools, people should know that you don't just go download some new piece of software just because it looks cool and some friend told you about it. You go online and look it up, find out how many people are using it and what they think of it, whether the company that made it is trustworthy, whether there's an open source alternative, and so on. If you still want to try it and it doesn't look trustworthy, you run it in an untrusted user account, throwaway wine setup, chrooted environment, usermode linux, or throwaway computer.
People should know what a web browser / email client is and why you need to use one that is standards-compliant and secure. They should know how to set up sandboxes to play with potentially unsafe stuff. They should know how to use PGP, or at least why they care. They should know that it doesn't matter who they are or how unimportant their stuff is, someone wants to break into their computer, especially if it's easy.
What's more, We have the money. We just have to spend it on the right things.
Don't thank God, thank a doctor!
...just imagine someone putting a tracking device in your clothing that informs advertising agencies, thieves and robbers what your daily habits are, where do you go, how long do you spend there and what stuff do you read, listen to and speak to, what people do you meet, and not only what do you buy but what did you intend to buy checking your shopping list....
I don't the situation there in America, but here in Spain and in most of the EU, that block would end up in jail for a least a good ten years... besides the fine would be astronomical...
... y Dios vio que Linux era bueno... Genesis 99.666
A simple splash screen is far different than pages of who-knows-what legalize that you are forcing on somebody.
One can be considered a notice, while the other is an implied contractural agreement (though it is quite legally questionable).
doctor's services, on the other hand, I would categorize essential. But I think you'll find that in situations where software is essential for human life (such as you described above), there is liability involved. That's why those kind of devices cost tens of thousands of dollars.
You're the one that chose the example of Doctor's malpractice insurance in your earlier post. But you are right, that is why those systems are expensive.
So in short, if your mother doesn't like it, she can just stop using the computer.
So in short, you are saying that it is ok for companies to foist crappy and defective products on unsuspecting consumers?
It's not as though her life's going to be shortend by doing so. People need to take responsibility for their computers, or else alleviate themselves of it.
If that isn't "blaming the victim" I don't know what is. So, you would rather my mother accept either having porn trojans on her computer (or stop using it) rather than Microsoft take care of their security problems in the first place?? Is it "ok" that companies can make defective products and sell them to the public??
I think years of consumer legislation that improves the quality and safety of products (from cars to baby toys to food) speaks for itself. It's just that it hasn't reached software yet because people like you are all too willing to roll over and accept whatever the corporations want to sell them.
It's not like Microsft can't make a secure product. They have more money in the bank than most third world countries.
Your arguments are sounding increasingly silly. Don't defend the guilty.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Not if it's published company policy to keep important data on the file server.
Yes, and you can even set up your workstations such that the user profile (the "personal settings") also gets stored on fileserver on logout.
Obviously, I could never be a sysadmin at your shop, because I would make some people look like the clods they are when our uptime approached 99.9 or better.
Sounds like your sysadmins are the ones who should lose their jobs for costing the company over $100,000 for implementing a solution that doesn't work plus the cost of cleanup.When you move up to the big leagues (i.e., potentially losing thousands, if not millions of dollars in a matter of minutes due to a poorly-executed transaction, then maybe you'll see that whining "we can't tell the users we have to wipe their machine because it is non functional due to spyware!" doesn't work. Then again, that requires buy-in from the boys up top. If you haven't sold them on the opportunity cost (and savings), then shame on you.Yeah, right.