Slashdot Mirror
NYS Senator Suggests Criminalizing Spyware
putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)
What if I sneak into a Big Company's computers without their knowledge, using a hacking tool masquerading as a harmless program, or perhaps piggy-backing on a "legitimate" application, and then hide there, secretly reporting traffic and even keystrokes back to a central server? Let alone if I do it sloppily, slowing them down, crashing them, popping up distracting windows all the time?
I think I'd go to prison, don't you?
Why, I think there are some laws against doing that.
Now, switch Big Company with some anonymous little guy. And we debate about whether or not it should even be specifically against the law... Hah.
Want to Know How to Cheat the GPL? Read On!
No, but it certainly sent the Spammers underground and out of the USA... while there are several US-based for-profit companies still pumping out spyware.
Sure, it won't elimiate them, but it'll put them in the proper class of scum.
So, if I send 1 bit per second for a year, is that more okay than sending 100 kbits per second for 1 second?
Also, if I send 1 bit every 100 seconds, can I round off and just call it 0 bits per second?
So if my keylogger drops all the spacebars then I'm home free, thank you sir!
--
stupid /. won't let me quote all caps
Here's a program that really works, and they have a beta with some cool features, and it functions well in a networked environment. Corp. licensing is $13/client initially then $4/client per year for maintenance.
http://www.pestpatrol.com
I'm doing testing in an environment where there are over 1200 PC's and it works great!
"In a world without walls and fences, who needs Windows and Gates?"
McCain is a confirmed toady of big business. He'll never let anything that might inconvenience his patrons become law.
This law is vague indeed. Pay attention to the definition:
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
Technically, any time your computer sends a TCP/IP packet, even for something as trivial as a ping, that is broadcasting the fact that you are using your computer.
So now what do we have? All Internet applications are by definition Spyware unless each user has approved the program to do its duty. But of course, we all click "I accept" when we install the program. So this law does...NOTHING! yay for NY.
A better solution would be to put some effort into defining Spyware in a way that does not also fit other useful Internet Apps. Then perhaps implement a standard way these applications must perform. A way that can easily be disabled by the user or even the OS if the user wishes.
What about cookies? They also acquire personal info from computer (although stored by the browser/web page)...
How many of these people who "Agree" to EULAs are minors, or are not the owner of the machine, and as such not allowed to enter into contracts for the machine?
The thoery behind EULAs is that your system makes copies (in RAM, and onto disk), and as such you need a _license_ to make copies. Copyright laws _specifically_ say this is not the case - furthermore, they are often trying to amend the terms of a sale, after it has taken place.
There are a number of other reasons EULAs are not binding in the first place. Have you truly _read_ the full text of every EULA you have ever supposedly been subject to anyway?
Contact Me (got tired of viruses emailing me).
The solution lies in users educating themselves on the vulnerabilities of their web browsers and the consequences of software that is distributed with AdWare. I work at a university and my department is responsible for dealing with the residential networks and their users. We often have to shut down users who become comprimised and start spamming the hell out of people. Often times a student will look at me and say "I didn't know something like this could happen". Well my office is taking a new direction next year. Including a class held weekly on securing your computer and not downloading that hot new "Osama Bin Laden" game you saw in your buddies AIM profile. I think the legislation will be used to do more harm then good. Software accountability would be nice, but will never happen. The users need to begin to realize that the powerful piece of computer has the potential for bad as well as good. And they'd better learn to control it.
-----Zephyre
One of my clients called me up after I did a spyware sweep and clear of her machine. She said, "What happened to my Incredimail?" I replied, "It's spyware, and it's part of what's going wrong on your PC." "Oh, well I was using it and I had some emails saved on it. A friend of mine recommended it to me, she said it was great!" I reinstalled it, and sure enough she called back to tell me her machine slowed down and her popups increased threefold. Sighhhhh...
If you don't like the EULA, break it. It's up to the spyware guys to try and enforce it.
Anything that gets the idea into the general public consciousness can't be all bad. What is really needed (for the "Survivor" crowd) is an onslaught of PSAs that outline, in simple terms, how to handle spam and scams.
Question is, who is going to pay for it?
A solution similar to AV software would simply not work... Why?
First of all, AV software doesn't work well enough... We still end up with pandemics because of the people with outdated AV, and new viruses coming out all the time.
Second, Viruses are illegal. Spyware is not, therefore it is trivial to write a new spyware program with a new signature, and new ways of evading the detection software.
What needs to be done, is a law passed requiring a Privacy rating on all software distributed on the Internet. If it leaves any software running silently on your systen at any time, or modifies any software that is not part of the package, they should have to Say so in BIG RED LETTERS on the install screen, by itself... not list in the EULA sea.
Just my 2 cents.
I'd like to see a couple more changes, something similar to the following:
1)Any GUI program which has the ability to transmit information over the internet without explicit action being taken by the user should have a standardized graphic warning dialog box, similar in appearance to the "US Surgeon General's Warning." This warning should say: The program must also include a WARNING.TXT file as described below.
If the software is run through a command-line interface or other interface which precludes the production of the standardized graphic, then it shall be sufficient for it to include in its installation package a file called "WARNING.TXT" which states, "The program you are about to install will transmit information over the internet without any enabling action being taken by you. Installation or usage of this program is deemed acceptance." This text file should preferably, but optionally, also explain the reason for needing an internet connection in plain language.
If the software included as part of a package or operating system, then it would be sufficient for
there to be one standardized graphic warning which is produced at the installation of the package and one WARNING.TXT file which names the individual files with internet capabilities.
Note, programs which only send information over the internet when expressly commanded to do so by the user are not required to have a warning of any kind.
Second: All EULAs should have their terms spelled out in a separate text file called "EULA.TXT" which can be read or printed as a standard text file on the target system. If the program comes with a hard-copy instruction manual which is over four pages in length, then the EULA must also be printed in the manual.
Any software which should have the standardized graphic warning dialog box, WARNING.TXT and/or EULA.TXT and doesn't would automatically be deemed in violation of the law.
Here's the thing. Even without such a law being passed, responsible coders in the OSS world could start to institute similar provisions. Eventually, one would hope that people would come to expect the appropriate warning image or file in their software, and would be wary of software which didn't have it. Of course, I wouldn't expect my exact suggestions to be implemented, but it would be better, in my lay opinion, for coders to organize a reasonable standard than to have the government impose something unreasonable upon them.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
I remember when cookies were first implemented by Netscape. I also remember when the first banner ads appeared on yahoo. People could boycott those sites. I remember when slashdot didn't have ads.
And at every step, somebody complained, loudly, that this was the end of the world.
Maybe it's not a good thing that doubleclick knows just about every news article I read these days. Maybe it's not so great that those news articles are crammed between (blocked) ads.
But you know what? Those are mere trivial annoyances to these "drive-by installers" (discussed this morning on c-span with a guy from the FTC) that use known security vulnerabilities to install themselves on my mom's computer to pummel her with pornographic ads. Fortunately she's a Mozilla convert, but the fact remains -- sure, tracking cookies are unnerving, but it's not like the full-on assult against consumers that's going on now.
The features I get because I use cookies (like being able to stay logged in to slashdot) or accept advertising as a form of revenue (like the fact that slashdot even exists [though I do block the ads]) are acceptable trade offs. Hotbar, gator, and the myriad of other spyware tools offer absolutely NOTHING but annoyances. Nothing.
How about after every paragraph of a EULA/Terms of Service, there is a check box indicating the paragraph had been read, Yes or No, with no default, and if any box is left unchecked the software would not load. At the least, a user would have to go down thru the EULA/Terms of Service and check each box.
Pete Carr Owner Chatmag.com
I'm generally sympathetic to attempts like this to get rid of spyware, but it seems to me that "computer usage" needs to be defined carefully in order to avoid criminalizing the collection of inocuous usage information. For instance, I once wrote a time series editor that was basically an interpreter for a specialized programming language, kind of like emacs. For a while, I collected statistics on memory usage and how many times the language primitives were executed and had the program email it to me on exit. The program printed a brief message about this on startup but didn't ask the user's permission. That didn't seem necessary since the resources used were trivial and no personal information was obtained. I've heard of other people doing the same kind of thing. This could fall under information about "computer usage", which presumably is intended to be restricted to information that the user might want to keep confidential, such as web sites visited.
I can't believe I am about to defend spyware companies, but I'll swallow my pride and here goes...
That shouldn't be possible. That shouldn't be considered an acceptance of the license.
Why should spyware companies be treated differently than anyone else when it comes to agreements?
When I bought my house, I was handed a stack of papers connected with the mortgage, asked to read them, and then sign. The banker did not hold my hand and explicitly tell me anything bad that could happen. It was entirely my responsibility to sit and read those papers.
Likewise when I bought a car, signed on for the utilities for my house, started using a credit card, etc etc so on and so forth. I did not have to prove I really read the papers, not did the companies involved have to explicitly point out bad things to me anywhere other than in those agreements. No one stood over me to make sure I really read the things, and no one forced the companies to read them to me.
While I think spyware companies like Gator (and yes, I'll call 'em "spyware" straight up, and Gator can kiss my ass if they don't like being called spyware) are the lowest form of pond scum on the earth, I also do not believe in subjecting them to tighter requirements than other businesses.
If you don't read the EULA, you have no one to blame but yourself.
And yes, as a matter of fact, I did/do read through all of the agreements I used as examples above, and I sit and read the EULA for every piece of software that gets installed on my machine.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
What about the value of what the software on the surface claims it does? The programs aren't just spyware, otherwise no one would ever download them. They all at least claim to do something useful. I know many (sick, twisted, and misguided) people who like the functionality of things like Gator Wallet and don't mind the spyware or at least feel like it is a fair price to pay.
"Value" is in the eye of the beholder. It is not the purpose of government to define what software has "value" and what doesn't. This is the same as the government defining what is "art" and what isn't.
As for "destroying computers in the process", I've had many a system hosed by Linux applications and Windows applications alike. Does that mean they should be regulated too? If the EULA on a GPL application absolves the author of being held responsible for any damages that his program causes, how is that any different from a Microsoft or Gator EULA that says the same thing? You are going to find that opening this can of worms releases a sword that cuts both ways.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
There is a concept in law called unjust enrichment. It is actually a very old form of action, but it is kindof not used as a lead claim usually. The idea under unjust enrichment is that the defendant received a benefit which is unjust for him/her to keep. The cool thing about unjust enrichment, if the court buys it, is the plaintiff can get disgorgement of profits.
I am writing a paper this semester on a theory to sue the spyware companies. I even talked to one of the leading attorneys in the US in class actions - involved in such suits as the one against DoubleClick.
All the cases for online profiling have failed so far under federal causes of action - the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the so called Wiretap Act. I'm thinking a better route might be with state level actions such as trespass to chattels and unjust enrichment.
That DoubleClick case was interesting. The judge accepted a settlement agreement. One thing stipulated is that it covered all people in the US who had a DoubleClick cookie on their computers before some date in 2002. The other, get this, is that the attorneys got $1.8 million for "reasonable fees".
Now, who wants to pick an online spyware company and try again? I'm damn serious. If a case succeeded, it could make a career.
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
So, that describes RecentChanges on a wiki.
Should we have a check box, that you must press, before each submit to a wiki?
What does this mean for Slashdot- does it transmit personal computer usage data when my name page shows the posts I've made?
The government can't handle anything involving technology. This has been proved several times the last few years.
1. DMCA - If not written by M$, RIAA, MPA, then at least approved by them in content.
2. Can Spam - All words and context approved by the DMA, which makes it useless.
3. Do Not Call - wait, how did that slip through, it works fairly well. Oh the telephone is how old?
If I were an idiot and if I were a Congressman, but I repeat myself - Mark Twain
Professional Politicians are not the solution, they ARE the problem.
That's not duress. Unless of course you were put in that position by the credit card guys, through no fault of your own, then the point could be argued perhaps.
: wrongful and usu. unlawful compulsion (as threats of physical violence) that induces a person to act against his or her will: "coercion"
Your lack of due diligence or even genuine lack of opportunity doesn't allow you to claim duress, despite the Marxist habit of claiming otherwise.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Maybe this has already been pointed out (I'm too lazy to read the thread right now), but even a C-64 is an order of magnitude more complex (internally at least, not the UI) than most cars (not counting their computers), let alone the mis-matched hodgepodge of hardware and software that most people call 'My Computer'.
Oh, and if you start mucking around with you're car's internals, throwing in strange fuel additives (while the neighborhood kids pour sugar in the gas tank for good measure), and bolting on all sorts of accessories, would you expect warantee service?
********RANT***********
People expect too much for too little from their computers. It's a holdover from the days when only techies played around with 'em. Companies could offer free support because they didn't have to waste time/money on dumb asses who were either too afraid or too stupid to learn how their computers work. Not that companies are blameless. All you've got to do to outsell the other guy is say "Our computer's are easy to use and our support's always free". Sure, you do great for a while, then the idiots start calling, and you've got to do all sorts of nasty things to keep 'em at bay, and keep them from realizing you're blowing them off.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I wish I had mod points today so I could spend some here. All the "If software was a car" bitching is at +5 Insightful and here you sit at only +2 for telling the truth.
The nearest computer equivalent to a car is an IBM mainframe. I was a mainframer in the 1980s, and 100% of the hardware in most shops was IBM. The OS was IBM. All of the software on the machines in every shop where I worked came from three sources: IBM, CA, or it was developed in-house to IBM APIs.
If you had a problem, you could get an IBM CE to come out and fix it, 24 x 7 (that support wasn't cheap, but neither would having a dealer mechanic come to your house to fix your car at 3:00 AM Sunday morning be cheap).
In the PC world, where the problems are just as you describe, that kind of near-equivalent of a car can never happen, especially in the Windows world. Things are somewhat better in the open source world because at least when you are writing to a given API, the whole API is definitely available to you, in source form, so you know exactly what you're writing to. Meanwhile, the fact that many of the drivers are either partly or wholly reverse-engineered does not seem to have made them any less reliable than a lot of vendor-written drivers for Windows.
Computers be as reliable as cars? I don't think that will ever happen. I don't think it's even reasonable to expect that, or to even make the comparison. As you say, a car has a pretty simple UI and is tested by the vendor and the stuff at least should all work together. Add to that the fact that even in the United States (which has the least technically competent drivers of any country I've lived in or visited - and yes, I'm American, so this isn't an anti-American troll), you have to get some training and pass a written test and a driving test in order to get a license to drive. No such standard exists for operating a computer, which is a far more complex device, although it's a lot harder to kill someone by being incompetent to use a computer.
Sometime, when I'm not as annoyed, I'll write an open letter to my congressmen about this. Naturally, I will continue to send the letter saying "you did not read my letter" if I get a form response saying something like "We are aware of the issues about Linux" when Linux was only a side issue.
Don't thank God, thank a doctor!
between a doctor and a computer programmer. I can choose to live without the services of a computer programmer. The doctor's services, on the other hand, I would categorize essential. But I think you'll find that in situations where software is essential for human life (such as you described above), there is liability involved. That's why those kind of devices cost tens of thousands of dollars. So in short, if your mother doesn't like it, she can just stop using the computer. It's not as though her life's going to be shortend by doing so. People need to take responsibility for their computers, or else alleviate themselves of it.
Oh, and that splash screen you mentioned, that's more or less an abbreviated EULA.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
6. "Intercepting or accessing of an electronic communication" and "intentionally intercepted or accessed" mean the intentional acquiring, receiving, collecting, overhearing, or recording of an electronic communication, without the consent of the sender or intended receiver there-of, by means of any instrument, device or equipment, INCLUDING THE USE OF KEYLOGGING COMPUTER PROGRAMS, except when used by a telephone company...in the ordinary course of its business or when necessary to protect the rights or property of such company."
any thoughts on waht implications this might have for progs like ettercap or ethereal?? is it too paranoid to imagine a netadmin being sued by a foremer/disgruntled employee for monitoring network traffic?
--kreweI saw it on Slashdot, it must be true!
I know now that DirectX can indeed be buggy - but so can OpenGL. It all depends on the hardware support, which ironically is often better for DirectX than for OpenGL these days. So I guess under your system we would all just whine and complain and never release any software until we all lost our jobs and our livelihoods? Realistically, developing rock-solid 3d graphics applications is EXTREMELY difficult, and doing effective QA for 3D software on a tiny budget is even more difficult - if you'd rather live in a world where none of this kind of content saw the light of day, that's fine, nobody's forcing you to download it or to support the small companies developing it.
I'm sure you're a good programmer, as am I, but I don't think you quite know of what you speak here or you wouldn't be spouting off so strongly.