Slashdot Mirror


NYS Senator Suggests Criminalizing Spyware

putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)

24 of 322 comments (clear)

  1. When is he up for re-election? by Liselle · · Score: 5, Insightful
    It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
    Doesn't sound like it will catch most of what we call Spyware. Pond-scum companies like Gator/Claria can always count on stupid people who click through EULAS. Barring that, they can always attach themselves to a legitimate program that needs the revenue, and may require the Spyware installed in order to function (blah blah, AdAware, but that's not the point).

    I'd be more interested in something that took a dig at the EULAS, in the grand tradition of protecting silly people from themselves. This bill looks like do-nothing election-year fluff. Were I a New Yorker, I'd tell this fellow to go back to the drawing board and try again.
    --
    Auto-reply to ACs: "Truly, you have a dizzying intellect."
    1. Re:When is he up for re-election? by LostCluster · · Score: 5, Insightful

      It's the definition of "explicit approval" that needs to be worked on...

      Gator's lastest tactic is to display a hyperlink in the ActiveX install box that the user has to click on in order to see the terms of service. If the user just clicks "Yes" without visiting that link, they've agreed to a long document worth of terms without having them transmitted.

      That shouldn't be possible. That shouldn't be considered an acceptance of the license.

    2. Re:When is he up for re-election? by maximilln · · Score: 5, Insightful

      I still don't understand why the software industry gets the EULA privelege while other idustries are at least somewhat accountable for producing a quality product. EULAs are getting to be so broad that they mirror the OSS example of,"If this software eats your hard drive we are not responsible." I accept it from OSS/GPL software because I'm not paying for it and it's not using information from my system to make a profitable database for someone else.

      In America, you pay for the privelege to be spied on, infiltrated, and abused? wtf?

      --
      +++ATHZ 99:5:80
    3. Re:When is he up for re-election? by CAIMLAS · · Score: 4, Insightful

      Um, no, EULAs are not 'getting' to be so broad that they mirror the (as you say) "OSS" example of, "If this software eats your hard drive, we are not responsible."

      That's been the clause of software packages since, um, forever. Same for hardware. You're out of your fucking mind if you think otherwise: the only way you'd not be in such a scenario is if you paid mucho denero to a company for insurance and/or some sort of odd support contract. You get no gaurantees.

      No, these EULAs (spyware, microsoft's, and many others) are more the equivilant of, "You agree to let us fuck you in the ass repeatedly" or, "You agree that we can sell your personal information without your explicit permission," or "You agree that you don't mind these goddamned popups every several seconds." It's like someone saying, "Let us use your lawn to watch the fireworks" and they bulldoze your house to put in bleachers.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    4. Re:When is he up for re-election? by maximilln · · Score: 5, Insightful

      Indeed. And, for some reason, the fact that a user has clicked the EULA negates all expectation of any sort of preexisting ethical or moral guidelines.

      I think this world has degenrated to a level of: Regardless of any legal documents you may think exist, you have no rights. Now, if you'll just sign here and agree to let us hamstring you, we might give you some of those rights that you think you have. If you don't sign the dotted line then you're free to take your chances at paying rent while working as a cashier at McDonald's.

      --
      +++ATHZ 99:5:80
  2. Criminalizing is a bad idea by Anonymous Coward · · Score: 5, Insightful

    Because the law will be overly vague, and the next thing you know, you'll be going to jail for writing software which has online updating.

  3. Explicit Approval? by williamstephens007 · · Score: 5, Insightful
    defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user

    Seems like the problem here is "explicit approval". I have personally witnessed people who just answer "YES" or "OK" to anything and everything that pops up on their screen - are they not giving explicit approval? They may be signing away their first born in a paragraph you have to scroll down to see, and they would never know.

    --
    William Stephens
    MCSE,MCDST,Well Respected VBScripting Guru
    williams007@yahoo.com,(212)275-4831
  4. Digital Agreements... by LostCluster · · Score: 4, Insightful

    I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.

    I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding. I don't think it should be possible for a user to be legally bound to an agreement that they might have missed by too quickly clicking a "Yes" button.

    1. Re:Digital Agreements... by Mycroft_VIII · · Score: 5, Insightful

      I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding.

      How about, not binding unless read, agreed to, and signed BEFORE you buy/download the software for a start.
      I think shrinkwrap liscenses are a load of bull and they should be just as struck down as they were when they were tried on other products some time ago.
      Also the requirement for 'plain language' was a good thing in the proposed bill, however a requirement of prominance and a reasonable effort to make shure it's actually read would be nice as well.
      Plus some of the vagueness needs to be taken care of. As it currently stands some spyware could get through and some non-spyware could be 'caught'. I believe someone else mention the update feature on software, though I'd rather not have more than a notice be automatic, or at least require auto-updating to be turned on. McAfee's updater is broken, it tries silently EVERY 5 MINUTES. And if you've configured windows to automatically connect it'll quite happily do so and if your paying by the minute..........

      Mycroft

      --
      https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
    2. Re:Digital Agreements... by Nerd+With+Nalgene · · Score: 5, Insightful

      The problem is not in the way a EULA is displayed.
      It is that people don't want to read them. I've seen some where the reader has to scroll all the way down through the license before it is even possible to click the 'I Accept' checkbox. This is a step in the right direction, but the fact is, it isn't enough to help most users. They will figure out what they have to do do get past the license agreement, and most will never even consider reading it.

      --


      "as if nothing were solid...and that would be the end of the world, not fire and brimstone, but goo."--Rand
    3. Re:Digital Agreements... by eclectro · · Score: 5, Insightful

      I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.

      Maybe the biggest problem with EULAS is the fact that they exist at all.

      The only thing an application should have is a copyright notice.

      EULAs are only used to try and take away a user's rights (illegaly) that go beyond copyright.

      Do you know of any store that will take back a piece of opened software and give a refund that you disagree with the EULA ??

      EULAs are immoral in the extreme. This has to be the first issue that a computer rights group should take up.

      And the statement printed on software boxes (like microsoft's) that state "You must agree to the end user license to the software" or other such statement is so much poo smelling malarky that it's not funny.

      --
      Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  5. It should be enforceable... by LordZardoz · · Score: 5, Insightful

    The test would be to see what sort of thing the user has to click to agree to use the spyware.

    If its a 30 page EULA, with a 'next' button, then it is not explicit approval.

    If its a large dialog box that says "Do you wish to provide Company X with personal information", and lists what info it will send, then that is explicit.

    If someone files a complaint under this law, and the spyware does not comply with the appropriate standards, then the company pays a fine (income for the state!), and possibly jail time.

    END COMMUNICATION

    1. Re:It should be enforceable... by CAIMLAS · · Score: 4, Insightful

      Absolutely. I'd wager a good half of the problems are due to the copious amount of legalese.

      That's yet another advantage of open source. There is only a relatively small number of licenses: GPL, LGPL, BSD, and a couple others. "This software uses the GPL." You have to read it once, and you then have an idea what subsequent GPL-licensed software allows (or doesn't allow).

      Why not make businesses agree on a standard license model that can be used by everyone? "This software conforms to the American Business Ethical License, with the following additions:" (ie, no exceptions, because that would allow for spyware, etc.) or such. It might not be as "free" (as in speech) as OSS, but it will at least provide a standard by which corporations and other companies can be held accountable.

      But then again, whoever heard of ethics in business? Certainly not the last couple generations.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  6. The Congress is expert at by Anonymous Coward · · Score: 5, Insightful

    ... protecting stupid people from themselves.

    All of these legal measures, this one and the bill in Utah

    that someone else has mentioned are band-aids applied

    to the sucking chest wound of the fact that the

    average 'Net user wants all the freedom of going to

    any site in the world and downloading anything he/she wants

    and none of the responsibility of intelligently choosing

    said content based on a solid understanding of how information technology actually works.

    Call me elitist if you want to, but the scary thing to me about this idea

    is that it will give lazy idiots (the people who still call themselves Newbies after using a device for years)

    another disincentive to actually gain some knowledge of the tools they use and take for granted every day.

  7. Re:Computer Crime Double Standard by CAIMLAS · · Score: 5, Insightful

    A huge part of the problem is the omnipresence of those goddamn ActiveX objects.

    I use Mozilla. I don't miss the "content" that oh so many of these objects supposedly allow me to access. I don't even know it's missing, most of the time. Most people get so many of these that they just instinctively click "yes," because otherwise something "might not work right".

    And yet people are inundated by their scourge many times daily, "Do you trust this person?" Why should I, or anyone else, have to make a value judgement on the person (or company) who set up a web page just to view their content? I shouldn't.

    You can blame MS for this mis-feature, as it's nothing but a crude hack for the inherrently insecure design in ActiveX.

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  8. Some Spyware by cluge · · Score: 5, Insightful

    Some things that probably meet the such a broad definition of spyware -

    Windows XP
    Windows Media Player
    Internet Explorer

    All of these programs transmit personal information without your consent (sometimes this depends on your patch level and the virus du jour as well). That being said, as soon as you turned the computer on, or opened the shrink wrap you accepted the EULA. Thus you explicitly accept that your personal information will be transmitted. The same types of wording are in the EULA's often accompany spyware that people install. In the end - it's probably a mute point. Personally I think it would be more important to look at EULA as a whole and how they are used to take away the rights of consumers, as well a shield companies that knowingly sell out defective software.

    cluge
    AngryPeopleRule

    --
    "Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
  9. Technical solution by Openstandards.net · · Score: 4, Insightful
    I believe this is another case of the law trying to preempt a technical solution.

    Instead of a new law, where the cons by far outweight the pros, from being overly broad to being ineffective because of EULAs, how about a technical solution?

    One solution would be a browser plug-in that checks a central database for spyware "signatures", similar to anti-virus software. It would then warn you whenever you downloaded spyware, with a link to more information at the central site.

    The primary reason spyware has become prevailant is because user's are unaware. The law is not going to accomplish this, and never be nearly as effective as a technical solution.

    Remember when they wanted to make cookies and pop-ups illegal? Browser technology made it possible to deal with them, so the user had choice, control and freedem, without the need for a law.

    I am honestly trying to think of ONE good Internet law that passed that was effective at accomplishing its goals. Is there one?

  10. Re:Agreed by msim · · Score: 4, Insightful

    It's just unfortunately the way things go. Logic dictates that it should be the same for a car as for software. But somewhere along the tracks long ago they would have put that clause in, and most likely set a precedent somewhere.

    Also there's the fact of multiple bits of software from a multitude of vendors interacting can screw up something royally, even if they apparently should work flawlessly. Sometimes its program logic thats skewed, sometimes library or call incompatability. Hell it could even be library incompatability within different revisions of the same software.

    It should work with all the programs working to a reasonable set of rules. But people discover shortcuts and they like these shortcuts in the name of efficiency or laziness. Thusly computers are far more likely to shit themselves.

    Then again i have had a workmate who had a warranty repair on a engine failure in his car (second time around in 1000km, still well within the 30,000km warranty) refused under warranty. Simply because the dealer advised him to go out and get a 2nd hand waterpump to make do as getting a genuine part in would mean his car was off the road for a month.

    He rocked up after those 1000km's with a very broken car and was told to nick off as they cant touch it. Simply due to the secondhand part in it that could have caused the engine failure. It had nothing to do with their shoddy workmanship and having fergotten to check the bigend bearings as well as the top end.

    --

    Life is like a box of chocolates, you never know when your gonna get food poisoning.
  11. Invest in educations not prosecution by dwave · · Score: 5, Insightful


    You can't really stop spyware with illegalizing it. It comes as a addition to a programm your average Windows-users want to install. So it's their fault if they also install features that they do not want. And what's the difinition of 'spyware' anyway? Is the Windows media player spyware because it transmits your UID to Microsoft? Is Windows XP spyware with all this activation stuff? First, there has to be a clear definition of this term and it's uses. Then there might be some kind of strict and standardized guarantee or approval that the original distributor of a proprietary software product doesn't use additional features of tracking users and uses. Then a company can be held reliable if they infringe with the rules of an standardized "spyware-free"-label.
    But alas, no law can stop users who have the habit of double-clicking everything clickable, be in their Outlook in-box, their desktop or on some local network share.
    There's only one way to stop it: education for users that happen to have a computer just by incident but don't understand a thing about it and are happy without having to read manuals or EULAs

    In Europe there was a huge problem with camouflaged dialers that establish a connection to some over-priced service-providers charging as much as $35 per call. Only after the media got interested in people who got an devastating phone bill, politicians got aware of this problem and illegalized certain numbers that dialers use. Lots of loopholes are still open, but just the media coverage and the discussion about illegalizing a certain telephony service sensitized the average Windows-user that dialers is something they don't want and double-clicking unknown objects can indeed have a real-life effect.

  12. I dreamed about this for a long time by Orion+Blastar · · Score: 4, Insightful

    Spyware is malware, pure and simple, it is unethical and now it may become illegal.

    I want to control what enters and leaves my computer, I do not want web sites installing software without my ok or knowledge. When I click "No" on something I expect it not to install.

    There are so many HTML/Javascript based Spyware programs out there it is not funny. I just ran into a JS_INOR.M Spyware/Trojan that Norton AntiVirus 2004 did not even know about nor could it remove it. Trend Micro's Housecall found it and I was able to remove it. It was in my temporary Internet files, so it was on a web page I viewed that installed itself. I was doing research for a college class of mine and the online library only works in IE, not Mozilla or Netscape, some site it linked to for an article I wanted to get installed this malware on my system.

    BTW even Spybot could not detect the JS_INOR.M bug. So I propose that the Federal Government form some sort of Anti-Malware organization to share removal information about malware with other companies to make better removal tools. This is a serious threat and a good bulk of this malware originates from other countries that do not have virus, trojan, spyware, adware laws.

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  13. Re: EULA's are sometimes illegal by cbreaker · · Score: 4, Insightful

    Sometimes, well, probably many times, EULA's break the law.

    Well, kinda. They contain rules that if enforced, would break the law.

    Software companies put anything into EULA's and they know that half the stuff in them is likely not enforcable. But you'd have to go to court and have a judge decide; a luxery that most people can't afford.

    --
    - It's not the Macs I hate. It's Digg users. -
  14. Re:Agreed by Fnkmaster · · Score: 4, Insightful
    Most users understand how to operate a car. When something fucks up, the cops usually understand it was user error. I have a small company that sells 20 dollar shareware products online. We get crazy fucking people bitching that a screensaver product we sell has ruined their computers or destroyed Windows or some such nonsense. I also regularly have people who get angry at us and email us repeatedly telling us to stop sending them spam or putting popups on their computer (of course, we don't do either of these things, they are misattributing spyware that came with other products and spam email lists they got on from other companies). Users don't know what the fuck they are doing. Software isn't standardized. This all adds up to a world where the line between user error and software malfunction is very hard to track down sometimes.


    Oh and there ARE computers where our 3d graphics products can cause blue screen errors. This is a result of the interaction between Windows, crappy drivers that misreport features, crappy 3d hardware that doesn't comply with spec, and our software. Who the heck do you hold responsible for this? It's all good and well to tell me that my software needs to be responsible, but if I write to the API that MS provides me (DirectX) and the hardware vendors don't provide drivers that comply, whose fault is it now? How do I make the users understand that? How the heck do you think these issues would work themselves out in court?


    My point is that a car is a commodity item with a simple and straightforward user interface. The two most critical parts of the UI are "stop" and "go". The whole unit is tested and quality assured as a package by the manufacturer. If you add all kinds of aftermarket dingdongs to it, A) they are usually cosmetic, not functional, B) if they are functional, it's generally your fault if you've fudged it up. Computers are made to have people install software written by hundreds of different manufacturers on them, written to interoperate with often-fuzzy specifications and no central quality control process to make sure they all play nice with each other. And the more hardware-dependent an app is, the more likely there are to be a whole other range of problems with it. So no, it's not reasonable to hold software developers to the same standard as auto manufacturers because the nature of the products are so radically different.


    If you want it to just work "as advertised" all the time, it better be a standardized hardware config with a fixed OS version, driver versions, and software installed on it, or you can forget about it.

  15. education, not legislation by SanityInAnarchy · · Score: 4, Insightful

    The Internet functions like a jungle full of ninjas. If an unsuspecting user walks through there and gets assaulted by a ninja, her complaint might be "But that's illegal!" right before her head is separated from her body. In order to catch a ninja, you have to be a ninja -- you have to swing through the trees with the greatest of ease and slice his head off. To survive without being a ninja, you put on a massive suit of armor so that it's harder to slice your head off. It can still happen, though, so you need to know how to use your armor.

    I'm being overly dramatic and overly metaphorical, so I'll make it simple:

    You CANNOT stop spam, viruses, worms, phreaks, spyware, hacks, cracks, modchips, reverse engineering, social engineering, or DOS attacks by making them illegal. I'm not saying that all of them should be legal, just that our tax dollars should not go to writing laws about them.

    You can ONLY stop these things by educating people on how to not get hurt by them. Because they are all a confidence game on the user's computer, and on the user themself, they can all be prevented, but only by intelligent users.

    Our tax dollars should go to educating people about how to not get hit by these things. Every school should be given funds to educate children in such things as programming/scripting (the basics of which go hand-in-hand with what they're learning in math), security, the basics of how to generally use software (like how to use any email client, not just Outlook Express or Hotmail) as well as things like open source/Linux (teaches them something they can take home without begging mommy and daddy to spend $20-$200 on a new piece of software)...

    Even outside of schools, people should know that you don't just go download some new piece of software just because it looks cool and some friend told you about it. You go online and look it up, find out how many people are using it and what they think of it, whether the company that made it is trustworthy, whether there's an open source alternative, and so on. If you still want to try it and it doesn't look trustworthy, you run it in an untrusted user account, throwaway wine setup, chrooted environment, usermode linux, or throwaway computer.

    People should know what a web browser / email client is and why you need to use one that is standards-compliant and secure. They should know how to set up sandboxes to play with potentially unsafe stuff. They should know how to use PGP, or at least why they care. They should know that it doesn't matter who they are or how unimportant their stuff is, someone wants to break into their computer, especially if it's easy.

    What's more, We have the money. We just have to spend it on the right things.

    --
    Don't thank God, thank a doctor!
  16. let's put it like this... by demonhold · · Score: 4, Insightful

    ...just imagine someone putting a tracking device in your clothing that informs advertising agencies, thieves and robbers what your daily habits are, where do you go, how long do you spend there and what stuff do you read, listen to and speak to, what people do you meet, and not only what do you buy but what did you intend to buy checking your shopping list....

    I don't the situation there in America, but here in Spain and in most of the EU, that block would end up in jail for a least a good ten years... besides the fine would be astronomical...

    --
    ... y Dios vio que Linux era bueno... Genesis 99.666