NYS Senator Suggests Criminalizing Spyware
putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)
I'd be more interested in something that took a dig at the EULAS, in the grand tradition of protecting silly people from themselves. This bill looks like do-nothing election-year fluff. Were I a New Yorker, I'd tell this fellow to go back to the drawing board and try again.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Because the law will be overly vague, and the next thing you know, you'll be going to jail for writing software which has online updating.
Seems like the problem here is "explicit approval". I have personally witnessed people who just answer "YES" or "OK" to anything and everything that pops up on their screen - are they not giving explicit approval? They may be signing away their first born in a paragraph you have to scroll down to see, and they would never know.
William Stephens
MCSE,MCDST,Well Respected VBScripting Guru
williams007@yahoo.com,(212)275-4831
I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.
I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding. I don't think it should be possible for a user to be legally bound to an agreement that they might have missed by too quickly clicking a "Yes" button.
The test would be to see what sort of thing the user has to click to agree to use the spyware.
If its a 30 page EULA, with a 'next' button, then it is not explicit approval.
If its a large dialog box that says "Do you wish to provide Company X with personal information", and lists what info it will send, then that is explicit.
If someone files a complaint under this law, and the spyware does not comply with the appropriate standards, then the company pays a fine (income for the state!), and possibly jail time.
END COMMUNICATION
... protecting stupid people from themselves.
All of these legal measures, this one and the bill in Utah
that someone else has mentioned are band-aids applied
to the sucking chest wound of the fact that the
average 'Net user wants all the freedom of going to
any site in the world and downloading anything he/she wants
and none of the responsibility of intelligently choosing
said content based on a solid understanding of how information technology actually works.
Call me elitist if you want to, but the scary thing to me about this idea
is that it will give lazy idiots (the people who still call themselves Newbies after using a device for years)
another disincentive to actually gain some knowledge of the tools they use and take for granted every day.
A huge part of the problem is the omnipresence of those goddamn ActiveX objects.
I use Mozilla. I don't miss the "content" that oh so many of these objects supposedly allow me to access. I don't even know it's missing, most of the time. Most people get so many of these that they just instinctively click "yes," because otherwise something "might not work right".
And yet people are inundated by their scourge many times daily, "Do you trust this person?" Why should I, or anyone else, have to make a value judgement on the person (or company) who set up a web page just to view their content? I shouldn't.
You can blame MS for this mis-feature, as it's nothing but a crude hack for the inherrently insecure design in ActiveX.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Some things that probably meet the such a broad definition of spyware -
Windows XP
Windows Media Player
Internet Explorer
All of these programs transmit personal information without your consent (sometimes this depends on your patch level and the virus du jour as well). That being said, as soon as you turned the computer on, or opened the shrink wrap you accepted the EULA. Thus you explicitly accept that your personal information will be transmitted. The same types of wording are in the EULA's often accompany spyware that people install. In the end - it's probably a mute point. Personally I think it would be more important to look at EULA as a whole and how they are used to take away the rights of consumers, as well a shield companies that knowingly sell out defective software.
cluge
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Instead of a new law, where the cons by far outweight the pros, from being overly broad to being ineffective because of EULAs, how about a technical solution?
One solution would be a browser plug-in that checks a central database for spyware "signatures", similar to anti-virus software. It would then warn you whenever you downloaded spyware, with a link to more information at the central site.
The primary reason spyware has become prevailant is because user's are unaware. The law is not going to accomplish this, and never be nearly as effective as a technical solution.
Remember when they wanted to make cookies and pop-ups illegal? Browser technology made it possible to deal with them, so the user had choice, control and freedem, without the need for a law.
I am honestly trying to think of ONE good Internet law that passed that was effective at accomplishing its goals. Is there one?
Open Standards Portal
It's just unfortunately the way things go. Logic dictates that it should be the same for a car as for software. But somewhere along the tracks long ago they would have put that clause in, and most likely set a precedent somewhere.
Also there's the fact of multiple bits of software from a multitude of vendors interacting can screw up something royally, even if they apparently should work flawlessly. Sometimes its program logic thats skewed, sometimes library or call incompatability. Hell it could even be library incompatability within different revisions of the same software.
It should work with all the programs working to a reasonable set of rules. But people discover shortcuts and they like these shortcuts in the name of efficiency or laziness. Thusly computers are far more likely to shit themselves.
Then again i have had a workmate who had a warranty repair on a engine failure in his car (second time around in 1000km, still well within the 30,000km warranty) refused under warranty. Simply because the dealer advised him to go out and get a 2nd hand waterpump to make do as getting a genuine part in would mean his car was off the road for a month.
He rocked up after those 1000km's with a very broken car and was told to nick off as they cant touch it. Simply due to the secondhand part in it that could have caused the engine failure. It had nothing to do with their shoddy workmanship and having fergotten to check the bigend bearings as well as the top end.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
You can't really stop spyware with illegalizing it. It comes as a addition to a programm your average Windows-users want to install. So it's their fault if they also install features that they do not want. And what's the difinition of 'spyware' anyway? Is the Windows media player spyware because it transmits your UID to Microsoft? Is Windows XP spyware with all this activation stuff? First, there has to be a clear definition of this term and it's uses. Then there might be some kind of strict and standardized guarantee or approval that the original distributor of a proprietary software product doesn't use additional features of tracking users and uses. Then a company can be held reliable if they infringe with the rules of an standardized "spyware-free"-label.
But alas, no law can stop users who have the habit of double-clicking everything clickable, be in their Outlook in-box, their desktop or on some local network share.
There's only one way to stop it: education for users that happen to have a computer just by incident but don't understand a thing about it and are happy without having to read manuals or EULAs
In Europe there was a huge problem with camouflaged dialers that establish a connection to some over-priced service-providers charging as much as $35 per call. Only after the media got interested in people who got an devastating phone bill, politicians got aware of this problem and illegalized certain numbers that dialers use. Lots of loopholes are still open, but just the media coverage and the discussion about illegalizing a certain telephony service sensitized the average Windows-user that dialers is something they don't want and double-clicking unknown objects can indeed have a real-life effect.
Spyware is malware, pure and simple, it is unethical and now it may become illegal.
I want to control what enters and leaves my computer, I do not want web sites installing software without my ok or knowledge. When I click "No" on something I expect it not to install.
There are so many HTML/Javascript based Spyware programs out there it is not funny. I just ran into a JS_INOR.M Spyware/Trojan that Norton AntiVirus 2004 did not even know about nor could it remove it. Trend Micro's Housecall found it and I was able to remove it. It was in my temporary Internet files, so it was on a web page I viewed that installed itself. I was doing research for a college class of mine and the online library only works in IE, not Mozilla or Netscape, some site it linked to for an article I wanted to get installed this malware on my system.
BTW even Spybot could not detect the JS_INOR.M bug. So I propose that the Federal Government form some sort of Anti-Malware organization to share removal information about malware with other companies to make better removal tools. This is a serious threat and a good bulk of this malware originates from other countries that do not have virus, trojan, spyware, adware laws.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Sometimes, well, probably many times, EULA's break the law.
Well, kinda. They contain rules that if enforced, would break the law.
Software companies put anything into EULA's and they know that half the stuff in them is likely not enforcable. But you'd have to go to court and have a judge decide; a luxery that most people can't afford.
- It's not the Macs I hate. It's Digg users. -
Oh and there ARE computers where our 3d graphics products can cause blue screen errors. This is a result of the interaction between Windows, crappy drivers that misreport features, crappy 3d hardware that doesn't comply with spec, and our software. Who the heck do you hold responsible for this? It's all good and well to tell me that my software needs to be responsible, but if I write to the API that MS provides me (DirectX) and the hardware vendors don't provide drivers that comply, whose fault is it now? How do I make the users understand that? How the heck do you think these issues would work themselves out in court?
My point is that a car is a commodity item with a simple and straightforward user interface. The two most critical parts of the UI are "stop" and "go". The whole unit is tested and quality assured as a package by the manufacturer. If you add all kinds of aftermarket dingdongs to it, A) they are usually cosmetic, not functional, B) if they are functional, it's generally your fault if you've fudged it up. Computers are made to have people install software written by hundreds of different manufacturers on them, written to interoperate with often-fuzzy specifications and no central quality control process to make sure they all play nice with each other. And the more hardware-dependent an app is, the more likely there are to be a whole other range of problems with it. So no, it's not reasonable to hold software developers to the same standard as auto manufacturers because the nature of the products are so radically different.
If you want it to just work "as advertised" all the time, it better be a standardized hardware config with a fixed OS version, driver versions, and software installed on it, or you can forget about it.
The Internet functions like a jungle full of ninjas. If an unsuspecting user walks through there and gets assaulted by a ninja, her complaint might be "But that's illegal!" right before her head is separated from her body. In order to catch a ninja, you have to be a ninja -- you have to swing through the trees with the greatest of ease and slice his head off. To survive without being a ninja, you put on a massive suit of armor so that it's harder to slice your head off. It can still happen, though, so you need to know how to use your armor.
I'm being overly dramatic and overly metaphorical, so I'll make it simple:
You CANNOT stop spam, viruses, worms, phreaks, spyware, hacks, cracks, modchips, reverse engineering, social engineering, or DOS attacks by making them illegal. I'm not saying that all of them should be legal, just that our tax dollars should not go to writing laws about them.
You can ONLY stop these things by educating people on how to not get hurt by them. Because they are all a confidence game on the user's computer, and on the user themself, they can all be prevented, but only by intelligent users.
Our tax dollars should go to educating people about how to not get hit by these things. Every school should be given funds to educate children in such things as programming/scripting (the basics of which go hand-in-hand with what they're learning in math), security, the basics of how to generally use software (like how to use any email client, not just Outlook Express or Hotmail) as well as things like open source/Linux (teaches them something they can take home without begging mommy and daddy to spend $20-$200 on a new piece of software)...
Even outside of schools, people should know that you don't just go download some new piece of software just because it looks cool and some friend told you about it. You go online and look it up, find out how many people are using it and what they think of it, whether the company that made it is trustworthy, whether there's an open source alternative, and so on. If you still want to try it and it doesn't look trustworthy, you run it in an untrusted user account, throwaway wine setup, chrooted environment, usermode linux, or throwaway computer.
People should know what a web browser / email client is and why you need to use one that is standards-compliant and secure. They should know how to set up sandboxes to play with potentially unsafe stuff. They should know how to use PGP, or at least why they care. They should know that it doesn't matter who they are or how unimportant their stuff is, someone wants to break into their computer, especially if it's easy.
What's more, We have the money. We just have to spend it on the right things.
Don't thank God, thank a doctor!
...just imagine someone putting a tracking device in your clothing that informs advertising agencies, thieves and robbers what your daily habits are, where do you go, how long do you spend there and what stuff do you read, listen to and speak to, what people do you meet, and not only what do you buy but what did you intend to buy checking your shopping list....
I don't the situation there in America, but here in Spain and in most of the EU, that block would end up in jail for a least a good ten years... besides the fine would be astronomical...
... y Dios vio que Linux era bueno... Genesis 99.666