NYS Senator Suggests Criminalizing Spyware

putch writes "New York State Senator Michael Balboni has introduced legislation to make the dissemination of spyware a criminal act. You can read the full bill text here. Is this a good thing? It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user. It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits. Also interesting is that it requires any 'legitimate' spyware to disclose any bandwidth it may consume and requires the disclosure to be in bits per second." The bill is quite short and readable. (This might remind you of the recently introduced anti-spyware bill in the U.S. Senate.)

When is he up for re-election?

[Liselle]

It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.

Doesn't sound like it will catch most of what we call Spyware. Pond-scum companies like Gator/Claria can always count on stupid people who click through EULAS. Barring that, they can always attach themselves to a legitimate program that needs the revenue, and may require the Spyware installed in order to function (blah blah, AdAware, but that's not the point).

I'd be more interested in something that took a dig at the EULAS, in the grand tradition of protecting silly people from themselves. This bill looks like do-nothing election-year fluff. Were I a New Yorker, I'd tell this fellow to go back to the drawing board and try again.

Re:When is he up for re-election?

[LostCluster]

It's the definition of "explicit approval" that needs to be worked on...

Gator's lastest tactic is to display a hyperlink in the ActiveX install box that the user has to click on in order to see the terms of service. If the user just clicks "Yes" without visiting that link, they've agreed to a long document worth of terms without having them transmitted.

That shouldn't be possible. That shouldn't be considered an acceptance of the license.

Re:When is he up for re-election?

[maximilln]

I still don't understand why the software industry gets the EULA privelege while other idustries are at least somewhat accountable for producing a quality product. EULAs are getting to be so broad that they mirror the OSS example of,"If this software eats your hard drive we are not responsible." I accept it from OSS/GPL software because I'm not paying for it and it's not using information from my system to make a profitable database for someone else.

In America, you pay for the privelege to be spied on, infiltrated, and abused? wtf?

Re:When is he up for re-election?

[CAIMLAS]

Um, no, EULAs are not 'getting' to be so broad that they mirror the (as you say) "OSS" example of, "If this software eats your hard drive, we are not responsible."

That's been the clause of software packages since, um, forever. Same for hardware. You're out of your fucking mind if you think otherwise: the only way you'd not be in such a scenario is if you paid mucho denero to a company for insurance and/or some sort of odd support contract. You get no gaurantees.

No, these EULAs (spyware, microsoft's, and many others) are more the equivilant of, "You agree to let us fuck you in the ass repeatedly" or, "You agree that we can sell your personal information without your explicit permission," or "You agree that you don't mind these goddamned popups every several seconds." It's like someone saying, "Let us use your lawn to watch the fireworks" and they bulldoze your house to put in bleachers.

Re:When is he up for re-election?

[maximilln]

Commercial software should never be allowed the disclaimer,"We are not responsible if this software eats your drive." If the software is paid for there should be some liability--at least for the cost of the software. I don't agree with cost of lost data. The user accepts some risk.

-----
EULAs (spyware, microsoft's, and many others) are more the equivilant of
-----
Which is far above and beyond the humorous summary of GPL.

So you're agreeing with me... in an adversarial way?

Re:When is he up for re-election?

[CAIMLAS]

The only gripe I have with EULAs is that they leave exception for companies to take pretty damned near any of your information once you agree to the EULA in many cases (not that they couldn't do that anyway, being closed source, but that's another topic of discussion entirely).

Re:When is he up for re-election?

[nomadic]

If you don't like the EULA, break it. It's up to the spyware guys to try and enforce it.

Re:When is he up for re-election?

[maximilln]

Indeed. And, for some reason, the fact that a user has clicked the EULA negates all expectation of any sort of preexisting ethical or moral guidelines.

I think this world has degenrated to a level of: Regardless of any legal documents you may think exist, you have no rights. Now, if you'll just sign here and agree to let us hamstring you, we might give you some of those rights that you think you have. If you don't sign the dotted line then you're free to take your chances at paying rent while working as a cashier at McDonald's.

Re:When is he up for re-election?

[pipingguy]

Anything that gets the idea into the general public consciousness can't be all bad. What is really needed (for the "Survivor" crowd) is an onslaught of PSAs that outline, in simple terms, how to handle spam and scams.

Question is, who is going to pay for it?

Re:When is he up for re-election?

[secondsun]

Unless I have missed something, an EULA is a contract. Contract law has many nice stipulations.

Oral contracts aren't worth the paper they're printed on i.e. no proof no contract.

Both parties have to agree to not only the same contract but also the same interpretation of the contract (which is why when you get a cell phone before you sign anything the sales person has to walk you through the entire contract).

A proper contract is noterized and signed by a witness.

A proper contract is between two people of majority age.

A contract must not be signed under distress.

And many other gotcha's designed to keep lawyers employeed and make contracts possible to break out of. How many of these do EULA's cover?

Now for the ontopic part, the user of the software and the person who agreed to the software terms are not necessarily the same person so even if someone signed explicit agreement it is null and void if the person using the software did not agree to it.

Re:When is he up for re-election?

[Chatmag]

How about after every paragraph of a EULA/Terms of Service, there is a check box indicating the paragraph had been read, Yes or No, with no default, and if any box is left unchecked the software would not load. At the least, a user would have to go down thru the EULA/Terms of Service and check each box.

Re:When is he up for re-election?

[spongman]

the problem is that the damages that can be caused by running software are not necessarily proportional to the cost of that software. $10 shareware can cause as much damage as a $10K enterprise suite if it goes wrong. if you remove the EULA then you are essentially opening the whole software industry up to liability suits. this will affect open source projects much more than comercial products since comercial products will just add the cost of liability insurance to their market rate. take (american) football helmets for example, a $5 helmet might cost up to $50 in the stores, most of which is insurance. open source projects currently have no way of footing this bill so US-based OSS distros will lose much of their market advantage, especially since they're not directly in control of the quality of the various components they ship. nobody wants to invest in unmanageable risk, you'd be better off going to vegas.

Re:When is he up for re-election?

[davmoo]

I can't believe I am about to defend spyware companies, but I'll swallow my pride and here goes...

That shouldn't be possible. That shouldn't be considered an acceptance of the license.

Why should spyware companies be treated differently than anyone else when it comes to agreements?

When I bought my house, I was handed a stack of papers connected with the mortgage, asked to read them, and then sign. The banker did not hold my hand and explicitly tell me anything bad that could happen. It was entirely my responsibility to sit and read those papers.

Likewise when I bought a car, signed on for the utilities for my house, started using a credit card, etc etc so on and so forth. I did not have to prove I really read the papers, not did the companies involved have to explicitly point out bad things to me anywhere other than in those agreements. No one stood over me to make sure I really read the things, and no one forced the companies to read them to me.

While I think spyware companies like Gator (and yes, I'll call 'em "spyware" straight up, and Gator can kiss my ass if they don't like being called spyware) are the lowest form of pond scum on the earth, I also do not believe in subjecting them to tighter requirements than other businesses.

If you don't read the EULA, you have no one to blame but yourself.

And yes, as a matter of fact, I did/do read through all of the agreements I used as examples above, and I sit and read the EULA for every piece of software that gets installed on my machine.

Re:When is he up for re-election?

[spectre_240sx]

I disagree. While I understand what you are saying, the examples you gave are situations of something being sold / transferred in good faith. Spyware, however, is downright harmful. There is nothing about spyware that any person would want anything to do with.

A lot of people who come into the shop I work at with spyware on their computers have no idea what it is or how it got on there. That's quite a bit different than a less than helpful clause in a loan agreement.

Spyware should be treated differently because it IS different. It's only reason for being is to make the company money while destroying peoples computers in the process.

Re:When is he up for re-election?

[davmoo]

What about the value of what the software on the surface claims it does? The programs aren't just spyware, otherwise no one would ever download them. They all at least claim to do something useful. I know many (sick, twisted, and misguided) people who like the functionality of things like Gator Wallet and don't mind the spyware or at least feel like it is a fair price to pay.

"Value" is in the eye of the beholder. It is not the purpose of government to define what software has "value" and what doesn't. This is the same as the government defining what is "art" and what isn't.

As for "destroying computers in the process", I've had many a system hosed by Linux applications and Windows applications alike. Does that mean they should be regulated too? If the EULA on a GPL application absolves the author of being held responsible for any damages that his program causes, how is that any different from a Microsoft or Gator EULA that says the same thing? You are going to find that opening this can of worms releases a sword that cuts both ways.

Re:When is he up for re-election?

[prockcore]

When I bought my house, I was handed a stack of papers connected with the mortgage, asked to read them, and then sign. The banker did not hold my hand and explicitly tell me anything bad that could happen. It was entirely my responsibility to sit and read those papers.


The mortgage doesn't require it, but your realtor is required by law to go over the paperwork paragraph by paragraph with you.

It took me over an hour with my realtor just to do the paperwork when I bought my house. Each paragraph was explained, and then I had to initial.

My mortgage wasn't as bad, they sent me a bunch of paperwork in the mail, I signed and initialed, and mailed it back in.

Re:When is he up for re-election?

[Arker]

Please, educate me more about this clause. I'd like to have my employment and credit card contracts reevaluated under the light of,"Well, your Honor, it was either sign a contract that I knew was a scam or else look at homeless hunger as a real option of life."

That's not duress. Unless of course you were put in that position by the credit card guys, through no fault of your own, then the point could be argued perhaps.

: wrongful and usu. unlawful compulsion (as threats of physical violence) that induces a person to act against his or her will: "coercion"

Your lack of due diligence or even genuine lack of opportunity doesn't allow you to claim duress, despite the Marxist habit of claiming otherwise.

Re:When is he up for re-election?

[Arker]

I agree, there is no way a EULA can be valid under contract law, although there are some factual errors in your post I should clear up. Oral contracts are just as valid as written ones. Of course, if there are no witnesses and the other party is willing to perjure him/herself, then you can have a problem, which is why signed papers are preferable. Notaries and witnesses are not required, they just (like having it on paper) make it easier to establish facts later if you have to sue to enforce it.

But EULAs lack any 'meeting of the minds', any compensation for the 'end user,' and any verification as to who the supposed 'end user' who clicks the accept button is, among other things. This is why they don't call themselves contracts, but rather 'licenses.' This dodge doesn't hold much water either, however.

Legally, you have no need for a 'license' to use the software you've already bought. (You would need a license to, for instance, create derivative works based on it, but not simply to use it.) So why on earth would anyone agree to one?

I've certainly never agreed to any such thing. I've occasionally pushed a button saying 'agree' or the like, simply because it's the only way to get software I own to perform it's function, but the act is certainly performed in those cases without any intent to actually agree to the 300 pages of legalese that I haven't even looked at. I daresay I'm probably a pretty mainstream computer user in that way. And I can't see how a court could possibly claim that this act somehow held any water as a legal agreement without ceasing entirely to be concerned or bound by legal traditions and principles and coming out in broad daylight as just a mouthpiece for the corporations and nothing more.

Re:When is he up for re-election?

[Reziac]

I think the difference is that with your car or mortgage, they stick the entire "EULA" in front of your face where you can't help but trip over it. Whereas spyware and other odious companies frequently do whatever they can to avoid having you read the EULA or TOS, such as only posting it on a website rather than including it with the software or service. It's available, all right, but only with extra effort or inconvenience.

Side thought: there are regulations on how small the "fine print" in meatspace advertising can be (and maybe in contracts too, I don't know about that), because if it's made deliberately illegible, that's considered a deceptive practice. To extrapolate that a bit, isn't making an EULA in some way difficult to read (if only by inconvenient access) essentially the same thing?

[I agree that "this company is a bunch of shitheads" is NOT a valid reason to change the rules just for them. Whatever applies to one company should apply equally to all.]

Criminalizing is a bad idea

Because the law will be overly vague, and the next thing you know, you'll be going to jail for writing software which has online updating.

Re:Criminalizing is a bad idea

[eclectro]

Some people (aka myself) don't like to be continually reminded by an application that they have to purchase/download an upgrade for the software.

If there is a patch/upgrade available, they can let me know by email.

The application does not need to "phone home" for any reason.

Re:Criminalizing is a bad idea

[joNDoty]

This law is vague indeed. Pay attention to the definition:
It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.
Technically, any time your computer sends a TCP/IP packet, even for something as trivial as a ping, that is broadcasting the fact that you are using your computer.
So now what do we have? All Internet applications are by definition Spyware unless each user has approved the program to do its duty. But of course, we all click "I accept" when we install the program. So this law does...NOTHING! yay for NY.
A better solution would be to put some effort into defining Spyware in a way that does not also fit other useful Internet Apps. Then perhaps implement a standard way these applications must perform. A way that can easily be disabled by the user or even the OS if the user wishes.

Re:Criminalizing is a bad idea

What about cookies? They also acquire personal info from computer (although stored by the browser/web page)...

Re:Criminalizing is a bad idea

[maximilln]

There were many of us who were enraged by the introduction of cookies to the WWW environment. Venerable web browsers such as lynx will, even today, still ask you explicitly if you want to store each and every cookie while more user-friendly web browsers have cookie access controls which do little more than hide the cookies from the user.

Those of us who warned of the slippery slope of cookies were ridiculed and ostricized by starry-eyed users who were lured by promises of ease of use, functionality, and customized foot rubs.

I guess they got what they deserve--spyware, malware, adware, and spam--now they want us to do something to stop it.

Re:Criminalizing is a bad idea

[ctr2sprt]

The vagueness isn't the problem. If you make it more specific, there will be loopholes the size of trucks - the more complex and precise the law, the bigger the loopholes - so they are trying to leave it vague to leave it up to the interpretation of judges and juries. Which also carries its own set of problems.

The real issue here, from what I can see, is that we're trying to criminalize taking advantage of ignorant and/or gullible people. Yes, it's a bit of a fuzzy line. But ultimately people are responsible for their own actions. It's your responsibility, as a computer user, to ensure that you don't install spyware - if you care, anyway. It's not the responsibility of the government to prevent you from doing stupid shit.

I manage to avoid installing spyware because I am informed and cautious. Perhaps it's unfairly egalitarian of me to assume that what I can do, others can too. But I don't think it's good policy to pander to the ignorant, for all that it's what gets you reelected.

Use Utah law as inspiration for a better Fed. law?

[Eric+Smith]

We just need the Federal equivalent of Utah's recently enacted spyware law. Although we should try to make sure our congresscritters don't pass a weaker one that overrides better protections at the state level.

LWN ran a story about the Utah anti-spyware law last month. A number of parties objected, but don't appear to have any legitimate grounds for complaint. The law doesn't ban spyware outright, but requires that spyware explain to the user what it will do, and obtain the user's consent before doing it. Only naughty people/companies should have a problem with that.

The LWN story links to an excellent analysis of the law by Benjamin Edelman.

Explicit Approval?

[williamstephens007]

defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user

Seems like the problem here is "explicit approval". I have personally witnessed people who just answer "YES" or "OK" to anything and everything that pops up on their screen - are they not giving explicit approval? They may be signing away their first born in a paragraph you have to scroll down to see, and they would never know.

Re:Explicit Approval?

[maximilln]

Oooooh bad idea.

Can you imagine the increase of the price in software if it had to go through a federal FDA equivalent to make it to the product shelves? Pirating would go through the roof and then all of these corporate monopolists would push for Trusted Computing that much harder.

Besides, Quaker doesn't admit to adding mercury to their oats and the federal labs don't bother to test Quaker oats but once a decade, with 5 years advance notice, using a special box shipped out the side door. How would labelling requirements prevent MS from bundling spyware and exploitable backdoors with the EU version to slap them back?

Digital Agreements...

[LostCluster]

I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.

I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding. I don't think it should be possible for a user to be legally bound to an agreement that they might have missed by too quickly clicking a "Yes" button.

Re:Digital Agreements...

[Mycroft_VIII]

I think that it'd be useful for there to be a legal standard for how a EULA must be presented to a user to be binding.

How about, not binding unless read, agreed to, and signed BEFORE you buy/download the software for a start.
I think shrinkwrap liscenses are a load of bull and they should be just as struck down as they were when they were tried on other products some time ago.
Also the requirement for 'plain language' was a good thing in the proposed bill, however a requirement of prominance and a reasonable effort to make shure it's actually read would be nice as well.
Plus some of the vagueness needs to be taken care of. As it currently stands some spyware could get through and some non-spyware could be 'caught'. I believe someone else mention the update feature on software, though I'd rather not have more than a notice be automatic, or at least require auto-updating to be turned on. McAfee's updater is broken, it tries silently EVERY 5 MINUTES. And if you've configured windows to automatically connect it'll quite happily do so and if your paying by the minute..........

Mycroft

Re:Digital Agreements...

[Nerd+With+Nalgene]

The problem is not in the way a EULA is displayed.
It is that people don't want to read them. I've seen some where the reader has to scroll all the way down through the license before it is even possible to click the 'I Accept' checkbox. This is a step in the right direction, but the fact is, it isn't enough to help most users. They will figure out what they have to do do get past the license agreement, and most will never even consider reading it.

Re:Digital Agreements...

[stryck9]

Getting EULA's in English would be the first step.

Re:Digital Agreements...

[Uber+Banker]

Do you suggest a quiz on the EULA to be answered?

If anyone agrees to a contract (whether they have read it or not) they deserve to be bound by it. I am in no mind to defend people who agree to contracts they have not read; rather I think we should fight spyware that is true spyware - installed without warning, contract, etc, and hard to uninstall - there is plenty of this about, including from the likes of Gator.

Re:Digital Agreements...

[maximilln]

Legally you're probably right. Once you sign the bottom line on a contract you're bound to it unless you can afford at least twice as many lawyers as the person holding the paper.

It's a shame, however. Consider employment. Because I'm a skilled intellectual employee the companies that I work for ask me to sign away all rights of ownership to anything that I do while I'm under their employment, _AND_ to keep them notified for up to three years of where I am and what I'm doing if I leave, _AND_ to agree never to use anything that I learned or discovered while employed with them to benefit any future employers. Strictly speaking, according to the terms of employee agreements, everything that I've done since 1999 is in breach of contract because everything that I do now was built on skills that I learned then. The only thing that saves me is that I'm not a big enough fish and haven't come up with any multi-billion dollar saleable ideas which would attract the attention of their legal vultures.

The US Constitution, specifically the parts about patenting of ideas and inventors retaining the rights to their invention, was written at a time when an individual wasn't dependent upon some communist corporate entity in order to breathe, eat, and have shelter and clothing. The spirit of those sections is being violated on a massive basis by every company in the US through employee agreements.

EULAs are similar. EULAs were written at a time when a few rich idiots lost their harddrives because they wanted to be cool and defrag their hard drive, didn't want to wait for it to finish, and clicked "cancel". Any half-savvy computer user knows that you don't take the disk out of the drive when the red light is on. I guess people thought that the basic premise of read/write integrity is negated by the invention of the "fixed disk".

All rants about incompetent users aside, though, the EULAs have grown to be in direct violation of basic codes of ethics with respect to product quality.

Re:Digital Agreements...

[eclectro]

I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.

Maybe the biggest problem with EULAS is the fact that they exist at all.

The only thing an application should have is a copyright notice.

EULAs are only used to try and take away a user's rights (illegaly) that go beyond copyright.

Do you know of any store that will take back a piece of opened software and give a refund that you disagree with the EULA ??

EULAs are immoral in the extreme. This has to be the first issue that a computer rights group should take up.

And the statement printed on software boxes (like microsoft's) that state "You must agree to the end user license to the software" or other such statement is so much poo smelling malarky that it's not funny.

Re:Digital Agreements...

[Rick.C]

I think the biggest problem with EULA's is that they can be agreed to without being fully displayed to or read by the end user.

IANAL but but I do know that paper contracts work the same way. If you sign a lease or a loan agreement, there is no requirement that you actually turn the paper over and read the leagalese on the back. And if that legalese states that some other document is included in the contract, you don't have to read that, either. In fact, the other party does not have to make the included document available to you.

You can just blissfully sign the paper and not worry about it. If you should ever contest the terms of the contract and take it to court, the judge won't care if you read it or not. All he'll ask is if that's your signature and if you say yes, the case is closed.

Okay, for those who are lawyers, there are some rights that you cannot sign away. And you might have a case if you can show that there was deceit involved.

But for the vast majority of simple contracts such as leases and loan agreements, all the details are spelled out and you can read it if you like, or not. Most people just sign, because if they don't sign, they don't get the new car or the new apartment. Same with software: you don't click "OK", you don't get to use the program. For most people, that's all that matters.

Yes, this WILL end spyware

[AtariAmarok]

This effort from Congress will work very well. After all, they have a good track record. The day Bush signed the "Can Spam Act", the spam shut off; haven't seen any since.

Re:Yes, this WILL end spyware

[LostCluster]

No, but it certainly sent the Spammers underground and out of the USA... while there are several US-based for-profit companies still pumping out spyware.

Sure, it won't elimiate them, but it'll put them in the proper class of scum.

Re:Yes, this WILL end spyware

[Micro$will]

I think the Supreme Court will declare this bill unconstitutional due to bad nettiquet:

To: The Senate
From: The Supreme Court
RE: Anti Spyware Bill

When writing bills, please refrain from using all caps, IT'S LIKE YELLING.

But...

[djcreamy]

How many people just click "OK" when the annoying messages appear? Is that considered "explicit" approval? Will there now be more annoying user agreements to read through? Most importantly, will the Windows error report thingy now be illegal?

Figures...

[BigDork1001]

They can't pass a friggin' budget on time for like 15 years in a row but some Senator gets pissed off by Gator and suddenly lets do something. While I appreciate what he's trying to do there are more important things.

Re:Figures...

[scifience]

Actually, this won't stop Gator or most of the things that users consider "spyware". As long as the user decides to "opt-in" to being tracked (in other words, the user clicks Agree to some license) there is nothing that this law can do. The only thing this would really stop is trojans that collect information without the user's "knowledge". While most users don't know that Gator and the like are installed, they have technically opted in by clicking agree on the license screen.

Computer Crime Double Standard

[Featureless]

What if I sneak into a Big Company's computers without their knowledge, using a hacking tool masquerading as a harmless program, or perhaps piggy-backing on a "legitimate" application, and then hide there, secretly reporting traffic and even keystrokes back to a central server? Let alone if I do it sloppily, slowing them down, crashing them, popping up distracting windows all the time?

I think I'd go to prison, don't you?

Why, I think there are some laws against doing that.

Now, switch Big Company with some anonymous little guy. And we debate about whether or not it should even be specifically against the law... Hah.

Re:Computer Crime Double Standard

[CAIMLAS]

A huge part of the problem is the omnipresence of those goddamn ActiveX objects.

I use Mozilla. I don't miss the "content" that oh so many of these objects supposedly allow me to access. I don't even know it's missing, most of the time. Most people get so many of these that they just instinctively click "yes," because otherwise something "might not work right".

And yet people are inundated by their scourge many times daily, "Do you trust this person?" Why should I, or anyone else, have to make a value judgement on the person (or company) who set up a web page just to view their content? I shouldn't.

You can blame MS for this mis-feature, as it's nothing but a crude hack for the inherrently insecure design in ActiveX.

END THE SPYWARE

[k4rm4_p0l7c3]

I run a network with about 300 Windows PCs on it and our staff has had such a hard time with removing this crap. I applaud this movement because i never thought i'd see something surpass the annoying presence of viruses on Windows. Spyware is now our number one threat of individual system stability, and generates so many support calls it's not even funny. while we're on the subject- anyone run a network and successfully automate spybot s&d ? we run it by hand, and never have had time to dig and see if it could be runnable via cmd arguments so we could streamline this whole deal with the logon scripts.. such as auto-immunization. i looked at all the docs, and it doesn't say anything about that kind of stuff. any help would be appreciated

Re:END THE SPYWARE

[paradizelost]

Here's a program that really works, and they have a beta with some cool features, and it functions well in a networked environment. Corp. licensing is $13/client initially then $4/client per year for maintenance.

http://www.pestpatrol.com

I'm doing testing in an environment where there are over 1200 PC's and it works great!

It should be enforceable...

[LordZardoz]

The test would be to see what sort of thing the user has to click to agree to use the spyware.

If its a 30 page EULA, with a 'next' button, then it is not explicit approval.

If its a large dialog box that says "Do you wish to provide Company X with personal information", and lists what info it will send, then that is explicit.

If someone files a complaint under this law, and the spyware does not comply with the appropriate standards, then the company pays a fine (income for the state!), and possibly jail time.

END COMMUNICATION

Re:It should be enforceable...

[CAIMLAS]

Absolutely. I'd wager a good half of the problems are due to the copious amount of legalese.

That's yet another advantage of open source. There is only a relatively small number of licenses: GPL, LGPL, BSD, and a couple others. "This software uses the GPL." You have to read it once, and you then have an idea what subsequent GPL-licensed software allows (or doesn't allow).

Why not make businesses agree on a standard license model that can be used by everyone? "This software conforms to the American Business Ethical License, with the following additions:" (ie, no exceptions, because that would allow for spyware, etc.) or such. It might not be as "free" (as in speech) as OSS, but it will at least provide a standard by which corporations and other companies can be held accountable.

But then again, whoever heard of ethics in business? Certainly not the last couple generations.

The Congress is expert at

... protecting stupid people from themselves.

All of these legal measures, this one and the bill in Utah

that someone else has mentioned are band-aids applied

to the sucking chest wound of the fact that the

average 'Net user wants all the freedom of going to

any site in the world and downloading anything he/she wants

and none of the responsibility of intelligently choosing

said content based on a solid understanding of how information technology actually works.

Call me elitist if you want to, but the scary thing to me about this idea

is that it will give lazy idiots (the people who still call themselves Newbies after using a device for years)

another disincentive to actually gain some knowledge of the tools they use and take for granted every day.

Why in bits per second?

[YouHaveSnail]

So, if I send 1 bit per second for a year, is that more okay than sending 100 kbits per second for 1 second?

Also, if I send 1 bit every 100 seconds, can I round off and just call it 0 bits per second?

Re:Why in bits per second?

[rpozz]

Because if it's in bits per second, it can be compared to the overall speed of the host's internet connection.

Agreed

[mfh]

> Doesn't sound like it will catch most of what we call Spyware.

I'd have to agree. Spyware is any software that installs, either with or without permission, to monitor the user and relay information to third parties, for the purposes of selling merchandise or services. Spyware runs in the background, and is difficult to uninstall, or breaks other programs when uninstalled.

Re:Agreed

". Spyware is any software ... for the purposes of selling merchandise or services"

Uh, or spying?

Spyware that steals credit-card-numbers, etrade accounts, etc is the spyware I fear most.

Re:Agreed

[Bastian]

If a car does not behave as advertised, customers raise a shitfit and the company ends up eating a lot of their own dog food.

If software does not behave as advertised, that's par for the course.

As we say in Wisconsin, what the fuck?

Re:Agreed

[msim]

It's just unfortunately the way things go. Logic dictates that it should be the same for a car as for software. But somewhere along the tracks long ago they would have put that clause in, and most likely set a precedent somewhere.

Also there's the fact of multiple bits of software from a multitude of vendors interacting can screw up something royally, even if they apparently should work flawlessly. Sometimes its program logic thats skewed, sometimes library or call incompatability. Hell it could even be library incompatability within different revisions of the same software.

It should work with all the programs working to a reasonable set of rules. But people discover shortcuts and they like these shortcuts in the name of efficiency or laziness. Thusly computers are far more likely to shit themselves.

Then again i have had a workmate who had a warranty repair on a engine failure in his car (second time around in 1000km, still well within the 30,000km warranty) refused under warranty. Simply because the dealer advised him to go out and get a 2nd hand waterpump to make do as getting a genuine part in would mean his car was off the road for a month.

He rocked up after those 1000km's with a very broken car and was told to nick off as they cant touch it. Simply due to the secondhand part in it that could have caused the engine failure. It had nothing to do with their shoddy workmanship and having fergotten to check the bigend bearings as well as the top end.

Re:Agreed

[inode_buddha]

Regarding your car example: It's all about money. Warrant as little as possible, disclaim everything, etc. My late parents went through something similar when I was in college with their new car. All it took was a call to their lawyer, who gladly took it on contingency. 10 days later, they had a new transmission installed by the dealer, valued at $2500. The lesson is this: Know when to stick up for yourself.

Re:Agreed

[Fnkmaster]

Most users understand how to operate a car. When something fucks up, the cops usually understand it was user error. I have a small company that sells 20 dollar shareware products online. We get crazy fucking people bitching that a screensaver product we sell has ruined their computers or destroyed Windows or some such nonsense. I also regularly have people who get angry at us and email us repeatedly telling us to stop sending them spam or putting popups on their computer (of course, we don't do either of these things, they are misattributing spyware that came with other products and spam email lists they got on from other companies). Users don't know what the fuck they are doing. Software isn't standardized. This all adds up to a world where the line between user error and software malfunction is very hard to track down sometimes.

Oh and there ARE computers where our 3d graphics products can cause blue screen errors. This is a result of the interaction between Windows, crappy drivers that misreport features, crappy 3d hardware that doesn't comply with spec, and our software. Who the heck do you hold responsible for this? It's all good and well to tell me that my software needs to be responsible, but if I write to the API that MS provides me (DirectX) and the hardware vendors don't provide drivers that comply, whose fault is it now? How do I make the users understand that? How the heck do you think these issues would work themselves out in court?

My point is that a car is a commodity item with a simple and straightforward user interface. The two most critical parts of the UI are "stop" and "go". The whole unit is tested and quality assured as a package by the manufacturer. If you add all kinds of aftermarket dingdongs to it, A) they are usually cosmetic, not functional, B) if they are functional, it's generally your fault if you've fudged it up. Computers are made to have people install software written by hundreds of different manufacturers on them, written to interoperate with often-fuzzy specifications and no central quality control process to make sure they all play nice with each other. And the more hardware-dependent an app is, the more likely there are to be a whole other range of problems with it. So no, it's not reasonable to hold software developers to the same standard as auto manufacturers because the nature of the products are so radically different.

If you want it to just work "as advertised" all the time, it better be a standardized hardware config with a fixed OS version, driver versions, and software installed on it, or you can forget about it.

Re:Agreed

[gujo-odori]

I wish I had mod points today so I could spend some here. All the "If software was a car" bitching is at +5 Insightful and here you sit at only +2 for telling the truth.

The nearest computer equivalent to a car is an IBM mainframe. I was a mainframer in the 1980s, and 100% of the hardware in most shops was IBM. The OS was IBM. All of the software on the machines in every shop where I worked came from three sources: IBM, CA, or it was developed in-house to IBM APIs.

If you had a problem, you could get an IBM CE to come out and fix it, 24 x 7 (that support wasn't cheap, but neither would having a dealer mechanic come to your house to fix your car at 3:00 AM Sunday morning be cheap).

In the PC world, where the problems are just as you describe, that kind of near-equivalent of a car can never happen, especially in the Windows world. Things are somewhat better in the open source world because at least when you are writing to a given API, the whole API is definitely available to you, in source form, so you know exactly what you're writing to. Meanwhile, the fact that many of the drivers are either partly or wholly reverse-engineered does not seem to have made them any less reliable than a lot of vendor-written drivers for Windows.

Computers be as reliable as cars? I don't think that will ever happen. I don't think it's even reasonable to expect that, or to even make the comparison. As you say, a car has a pretty simple UI and is tested by the vendor and the stuff at least should all work together. Add to that the fact that even in the United States (which has the least technically competent drivers of any country I've lived in or visited - and yes, I'm American, so this isn't an anti-American troll), you have to get some training and pass a written test and a driving test in order to get a license to drive. No such standard exists for operating a computer, which is a far more complex device, although it's a lot harder to kill someone by being incompetent to use a computer.

Re:Agreed

[Fnkmaster]

Wow, you are quite the caffeinated fellow, aren't you. Show me a company that's going to pull a product from the market and go rewrite it because it can potentially cause a bluescreen for 1/10th of 1 percent of the market. How do I know when I need to pull my product from the market? The first person who complains that there was a blue screen? How can I possibly attribute it to my software, when it hasn't happened for any of the other 5,000 people who've downloaded and used it?

I know now that DirectX can indeed be buggy - but so can OpenGL. It all depends on the hardware support, which ironically is often better for DirectX than for OpenGL these days. So I guess under your system we would all just whine and complain and never release any software until we all lost our jobs and our livelihoods? Realistically, developing rock-solid 3d graphics applications is EXTREMELY difficult, and doing effective QA for 3D software on a tiny budget is even more difficult - if you'd rather live in a world where none of this kind of content saw the light of day, that's fine, nobody's forcing you to download it or to support the small companies developing it.

I'm sure you're a good programmer, as am I, but I don't think you quite know of what you speak here or you wouldn't be spouting off so strongly.

do what I do...

[chrisopherpace]

block all outgoing access to weatherbug.com, the 2 ip addresses used to show weather reports through weatherbug (I forget which ones, just run tcpdump to see them), and block the other major spyware (webshots, kazaa, etc). Then, you will have control adequately (and for those that think you can just cut admin access, try running autocad or something similar (claimzone, etc) as a mortal user.

Trolling for dollars

[Safety+Cap]

I run a network ~ [blah blah] ~. Spyware is now our number one threat of individual system stability ~ [blah blah].

Here's a hint: block every one of your gateway's ports, unless specifically requested, documented, and justified for a business function. Same goes for email attachments. Then block (at your proxy) all the known spyware sites (and stuff that contains "ad" in the DNS name).

You might also, I don't know, image the person's drive; when they screw up the machine, restore the image instead of trying to "clean" it. That way you only spend a few minutes dealing with that, and they get the reinforcing pain of losing all their personalized settings. After doing that a few times, they'll figure out that downloading CRAP is bad.

Re:Trolling for dollars

Nice idea, but 82.7% of these things use plain ol HTTP over port 80 in order to go through firewalls (statistics pulled from ass).

Loophole!

[RallyNick]

9. "KEYLOGGING COMPUTER PROGRAMS" means computer programs, installed without the knowledge of the computer user, that send electronic communications, that the computer user is unaware of, from the computer to an unauthorized user. Such communications are computer files that display ALL of the keystrokes that a computer makes.

So if my keylogger drops all the spacebars then I'm home free, thank you sir!

--

stupid /. won't let me quote all caps

Never get passed

Wouldnt this make it illegal for companies like adobe, to include spyware like anti-piracy measures in their products?

HUH?

[Dimensio]

Why would Sen. John McCain (R, Arizona) be able to block a bill in the New York State Senate?!

Re:Use Utah law as inspiration for a better Fed. l

[RetroGeek]

And also make it part of the law that the "I agree" checkbox be OFF be default.

That alone should protect most people.

Not the solution

[Zephyre]

The solution lies in users educating themselves on the vulnerabilities of their web browsers and the consequences of software that is distributed with AdWare. I work at a university and my department is responsible for dealing with the residential networks and their users. We often have to shut down users who become comprimised and start spamming the hell out of people. Often times a student will look at me and say "I didn't know something like this could happen". Well my office is taking a new direction next year. Including a class held weekly on securing your computer and not downloading that hot new "Osama Bin Laden" game you saw in your buddies AIM profile. I think the legislation will be used to do more harm then good. Software accountability would be nice, but will never happen. The users need to begin to realize that the powerful piece of computer has the potential for bad as well as good. And they'd better learn to control it.

Some Spyware

[cluge]

Some things that probably meet the such a broad definition of spyware -

Windows XP
Windows Media Player
Internet Explorer

All of these programs transmit personal information without your consent (sometimes this depends on your patch level and the virus du jour as well). That being said, as soon as you turned the computer on, or opened the shrink wrap you accepted the EULA. Thus you explicitly accept that your personal information will be transmitted. The same types of wording are in the EULA's often accompany spyware that people install. In the end - it's probably a mute point. Personally I think it would be more important to look at EULA as a whole and how they are used to take away the rights of consumers, as well a shield companies that knowingly sell out defective software.

cluge
AngryPeopleRule

Down the line

[pvt_medic]

does this mean that down the line that the profiles being made on me via shopering reward cards, and other membership related cards are going to have to be disclosed to me as well?

I'll send this guy a note via Incredimail!

[vudufixit]

One of my clients called me up after I did a spyware sweep and clear of her machine. She said, "What happened to my Incredimail?" I replied, "It's spyware, and it's part of what's going wrong on your PC." "Oh, well I was using it and I had some emails saved on it. A friend of mine recommended it to me, she said it was great!" I reinstalled it, and sure enough she called back to tell me her machine slowed down and her popups increased threefold. Sighhhhh...

One problem with this bill

[max+born]

6. IF SUCH DOWNLOAD SHALL ALTER THE SPEED THE COMPUTER TRANSMITS DATA AND IF SO WHAT SUCH ALTERATION SHALL BE IN BITS PER SECOND.

Note the non technical term speed to describe bits per second. Downloading doesn't alter the rate your computer transmits data, it depends on bandwith capacity.

We need to inovate, not litigate. Spyware protection should to be built into the computer not regulated by the government.

Legislatures(sp?)

[MisanthropicProgram]

You Sir,

Are so correct!

I wish folks would look for other options before getting the Legislatores(sp?) involved! They will only pass laws that will further their career one way or another! Or, as you have suggested, add on to laws to further agendas of their campaign contributors!

Make EULAs like Reading Comp. Tests

[kilox]

Quiz users instead of allowing them to hit OK and YES. True or Fasle: We will hijack your system resources?

saw a loophole

[zogger]

it's small as laws go, but I saw a glaring loophole here:

SUCH COMMUNICATIONS ARE COMPUTER FILES THAT DISPLAY
7 ALL OF THE KEY STROKES THAT A COMPUTER USER MAKES.

some goon spyware shop just eliminates the letter q or h or a few more, they can slide by and still easily read the keystrokes for most purposes. Should be struck and changed to ANY keystrokes instead of ALL keystrokes then.

Besides that it's an attempt. Hard to describe spyware though legally, isn't it? And what's data, personal data? Say I don't want ANYONE without my permission (and paying me a fee and getting a license) to be able to identify my architecture, operating sytem, etc. I could call that personal data, and it is really. whoops, just wiped out the ole intarweb there.

Maybe a better way. I dunno, let the smarter guys chew on this one.

Make it illegal to transfer any data in or out of my box without the permission-granted by me by a normal http or similar transfer protocol request from the box itself, or by a signed digital signature granting license for specific services, said license being avaialable by a certain request, the "ping of what's cool to do or offer" request we'lll call it before it gets mush mouthed. Doing it, transferring unwanted data in or out of my box with an executable won't matter than, it will be covered if it hasn't been licensed in advance by MY license, not theirs, as well as any external flooding, overflow attempts to get root, whatever. Seems like it would anyway. Simple,to the point, covers most anything illegal. That'll cover quite a bit, and also make all unsolicited email illegal as well.

OR, bring back dueling, make it legal

OR, pass one law, every 20 years all politicians are fired, they may never hold any elective or appointed office, nor may they be hired-on to government, no work as a lobbyist. along with that, all previously passed laws are null and void, a national "jubilee" (in the classical/historic sense) is declared, and we start from scratch all over again with the basic bill of rights and constitution.

Solve all this crap every 20 years painlessly. Every generation should have their own chance to screw up equally, I say.

speaking of Ciminality...

[KimiDalamori]

I think it should be criminal to create a program which resists being uninstalled by the owner of the hardware on which it was installed, regardless of whether or not the owner accepted it EULA.

Technical solution

[Openstandards.net]

I believe this is another case of the law trying to preempt a technical solution.

Instead of a new law, where the cons by far outweight the pros, from being overly broad to being ineffective because of EULAs, how about a technical solution?

One solution would be a browser plug-in that checks a central database for spyware "signatures", similar to anti-virus software. It would then warn you whenever you downloaded spyware, with a link to more information at the central site.

The primary reason spyware has become prevailant is because user's are unaware. The law is not going to accomplish this, and never be nearly as effective as a technical solution.

Remember when they wanted to make cookies and pop-ups illegal? Browser technology made it possible to deal with them, so the user had choice, control and freedem, without the need for a law.

I am honestly trying to think of ONE good Internet law that passed that was effective at accomplishing its goals. Is there one?

Re:Technical solution

[fltsimbuff]

A solution similar to AV software would simply not work... Why?

First of all, AV software doesn't work well enough... We still end up with pandemics because of the people with outdated AV, and new viruses coming out all the time.

Second, Viruses are illegal. Spyware is not, therefore it is trivial to write a new spyware program with a new signature, and new ways of evading the detection software.

What needs to be done, is a law passed requiring a Privacy rating on all software distributed on the Internet. If it leaves any software running silently on your systen at any time, or modifies any software that is not part of the package, they should have to Say so in BIG RED LETTERS on the install screen, by itself... not list in the EULA sea.

Just my 2 cents.

Re:It'll hurt them

[Bastian]

Spyware relies on being bundled along with software that would otherwise be at least almost legitimate.

If these companies want to continue to do business in the USA and sell products to U.S. customers, they will have to think twice about continuing with producing spyware or doing business with spyware companies.

Another Useless Bill

[nurb432]

Just add the 'notice' in the EULA/click-thru. No one reads them anyway.

Besides, im sure its illegal in another way, no need to pass 'yet another law' to make something illegal x2.

Cool definition...

[Maljin+Jolt]

It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.

It is easy to keep legal on this. For every packet containing personal information or computer usage data do popup window kindly asking for explicit user approval... Ehm.

Well, every time I see some computer related legal problem of the yankee culture provenance I realise the legality is a very poor replacement for reality.

These aren't even in the same league

I remember when cookies were first implemented by Netscape. I also remember when the first banner ads appeared on yahoo. People could boycott those sites. I remember when slashdot didn't have ads.

And at every step, somebody complained, loudly, that this was the end of the world.

Maybe it's not a good thing that doubleclick knows just about every news article I read these days. Maybe it's not so great that those news articles are crammed between (blocked) ads.

But you know what? Those are mere trivial annoyances to these "drive-by installers" (discussed this morning on c-span with a guy from the FTC) that use known security vulnerabilities to install themselves on my mom's computer to pummel her with pornographic ads. Fortunately she's a Mozilla convert, but the fact remains -- sure, tracking cookies are unnerving, but it's not like the full-on assult against consumers that's going on now.

The features I get because I use cookies (like being able to stay logged in to slashdot) or accept advertising as a form of revenue (like the fact that slashdot even exists [though I do block the ads]) are acceptable trade offs. Hotbar, gator, and the myriad of other spyware tools offer absolutely NOTHING but annoyances. Nothing.

Invest in educations not prosecution

[dwave]

You can't really stop spyware with illegalizing it. It comes as a addition to a programm your average Windows-users want to install. So it's their fault if they also install features that they do not want. And what's the difinition of 'spyware' anyway? Is the Windows media player spyware because it transmits your UID to Microsoft? Is Windows XP spyware with all this activation stuff? First, there has to be a clear definition of this term and it's uses. Then there might be some kind of strict and standardized guarantee or approval that the original distributor of a proprietary software product doesn't use additional features of tracking users and uses. Then a company can be held reliable if they infringe with the rules of an standardized "spyware-free"-label.
But alas, no law can stop users who have the habit of double-clicking everything clickable, be in their Outlook in-box, their desktop or on some local network share.
There's only one way to stop it: education for users that happen to have a computer just by incident but don't understand a thing about it and are happy without having to read manuals or EULAs

In Europe there was a huge problem with camouflaged dialers that establish a connection to some over-priced service-providers charging as much as $35 per call. Only after the media got interested in people who got an devastating phone bill, politicians got aware of this problem and illegalized certain numbers that dialers use. Lots of loopholes are still open, but just the media coverage and the discussion about illegalizing a certain telephony service sensitized the average Windows-user that dialers is something they don't want and double-clicking unknown objects can indeed have a real-life effect.

Approval from the USER??!!

[SmurfButcher+Bob]

Uh, how about approval from the authoritative owner of the freakin MACHINE?

Little Johnny six-pack breaks into your house, shoots you in the head, sits down at your machine... and is now THE USER, and would have authority to consent to such trash.

Think of a corporate layout, for chrissake... end-users have the authority to grant such permission?

BULL$#%. Such garbage language would preclude *any* ability to set policy by the guy who OWNS the machine.

Need to define "computer usage" carefully

[belmolis]

I'm generally sympathetic to attempts like this to get rid of spyware, but it seems to me that "computer usage" needs to be defined carefully in order to avoid criminalizing the collection of inocuous usage information. For instance, I once wrote a time series editor that was basically an interpreter for a specialized programming language, kind of like emacs. For a while, I collected statistics on memory usage and how many times the language primitives were executed and had the program email it to me on exit. The program printed a brief message about this on startup but didn't ask the user's permission. That didn't seem necessary since the resources used were trivial and no personal information was obtained. I've heard of other people doing the same kind of thing. This could fall under information about "computer usage", which presumably is intended to be restricted to information that the user might want to keep confidential, such as web sites visited.

I dreamed about this for a long time

[Orion+Blastar]

Spyware is malware, pure and simple, it is unethical and now it may become illegal.

I want to control what enters and leaves my computer, I do not want web sites installing software without my ok or knowledge. When I click "No" on something I expect it not to install.

There are so many HTML/Javascript based Spyware programs out there it is not funny. I just ran into a JS_INOR.M Spyware/Trojan that Norton AntiVirus 2004 did not even know about nor could it remove it. Trend Micro's Housecall found it and I was able to remove it. It was in my temporary Internet files, so it was on a web page I viewed that installed itself. I was doing research for a college class of mine and the online library only works in IE, not Mozilla or Netscape, some site it linked to for an article I wanted to get installed this malware on my system.

BTW even Spybot could not detect the JS_INOR.M bug. So I propose that the Federal Government form some sort of Anti-Malware organization to share removal information about malware with other companies to make better removal tools. This is a serious threat and a good bulk of this malware originates from other countries that do not have virus, trojan, spyware, adware laws.

EULA and the solution

[Orion+Blastar]

At the end of the EULA is a random 8 digit number. You have to scroll all the way to the bottom to read it in the EULA. In order to accept the EULA you have to enter this number, or else the install fails. That will stop people from hitting "Yes" or "Ok" without at least reading enough to see the number they need to continue.

Also what about EULA on preinstalled software? Nobody clicked through the agreement, so how is it enforcable? Windows, MSWorks, MSOffice, MSMoney, MSScreenOtters, whatever was installed on the PC by the OEM. If it has Spyware, like Media Player, it is already there and no EULA clickthrough was done. What about those issues?

Can Spam First

[BondGamer]

How about we can the spam first and then work on other problems? The government isn't exactly known for handling multiple issues at once.

Re:Can Spam First

[BCW2]

The government can't handle anything involving technology. This has been proved several times the last few years.
1. DMCA - If not written by M$, RIAA, MPA, then at least approved by them in content.
2. Can Spam - All words and context approved by the DMA, which makes it useless.
3. Do Not Call - wait, how did that slip through, it works fairly well. Oh the telephone is how old?

If I were an idiot and if I were a Congressman, but I repeat myself - Mark Twain

The real purpose of a EULA ...

[cdrguru]

The reason for the existence of the EULA is first and foremost the phrase that is in every single one about not being liable for consequential damages. Probably the second most important one is that you are not allowed to steal the product, or parts of the product and resell them independently. Just about everything after that is to reinforce those two phrases. At least that is what the lawyers tell me about our EULA.

You see, with every other product on the face of the earth there is substantial precendent for what constitutes use and misuse of the product. If you decide to open a bottle of catsup with a stick of dynamite you will not find a court anywhere that will let you sue because you got hurt. However, if you install a backup program, never run it and lose all your data you probably can find a lawyer that will file saying the backup software company should have done something to prevent this from happening.

This is the legal climate that exists today. Doctors have to join large groups just to afford the malpractice insurance. Small companies need to have a full time lawyer on staff to review stuff and properly set up agreements. If you don't do this, you lose everything and maybe end up all working for somebody that takes over the whole thing.

I do not see any way to get away from every product published by someone with anything to lose having a EULA. Failure to do this will result in someone, sometime trying to get compensated for their perception of a failing. This goes equally well for free, open and even public domain software. There is no legal precedent as far as I know that says liability is limited to the purchase price or that free stuff has no liability.

I don't know any way out of the current situation other than revamping the entire legal system and maybe more. A few court cases where some precedent was established clearly identifying there not being liability except in cases of gross negligence would be nice.

Re:The real purpose of a EULA ...

[eclectro]

The reason for the existence of the EULA is first and foremost the phrase that is in every single one about not being liable for consequential damages. Probably the second most important one is that you are not allowed to steal the product, or parts of the product and resell them independently.

That's pretty much straw-men arguments.

First, all you would have to do is a have a splash screen that said "copyright 2004 all rights reserved. No warranty implied nor given." That would pretty much cover the purpose of the simpler EULAs out there. If you were particularly worried about it you could ad the statement "Suitability for any purpose not guaranteed."

By doing this you do not require the end user to agree to an EULA, but at the same time notify him that you aren't giving him a warranty.

Probably the second most important one is that you are not allowed to steal the product, or parts of the product and resell them independently.

That's what a copyright notice is for You don't need an EULA to enforce this. Also, did an EULA stop all those warez people from copying programs that were caught in operation fastlink that we have been hearing about?

However, if you install a backup program, never run it and lose all your data you probably can find a lawyer that will file saying the backup software company should have done something to prevent this from happening. This is the legal climate that exists today.

I do not think so. The fact that people will sue over a cup of hot coffee being spilled in their lap doesn't mean that you require them to agree to sign a contract each time they buy a cup of coffee.

This is the legal climate that exists today. Doctors have to join large groups just to afford the malpractice insurance. Small companies need to have a full time lawyer on staff to review stuff and properly set up agreements. If you don't do this, you lose everything and maybe end up all working for somebody that takes over the whole thing.

Rather than hiring a full time lawyer maybe these companies need to use the money in improving their product so that it doesn't fail. There is a reason why doctors have to have malpractice insurance. it is to hold them accountable for their actions

Why should software companies be any different? What makes them *so special* that they feel the need to be let off the hook for *everything*. Other companies have to offer warranties and accept responsibility for the integrity of their products. Why not software?

If I'm hooked up to a machine at the hospital that is performing a function necessary to the health of my person and it crashes because it is running Windows 98 and subsequently hurts my health, I'm going to sue regardless of any EULAs that some software designer agreed to or not.

If Microsoft was held accountable for the products they make, we would have a lot less problems with trojans, viruses, and other malicious software than we due today.

I just finished cleaning a bunch of porn trojans off my mothers computer that were probably put there through a security hole in Microsoft Windows. She was absolutely livid, as she should be.

I don't know any way out of the current situation other than revamping the entire legal system and maybe more.

Nothing in the legal system says a piece of software has to have an EULA. Maybe rather than worry about reforming the legal system we should reform the way software is bought and sold. Maybe software companies need to be held accountable as to the quality of the products they make, rather than tossing an EULA on it thinking that excuses them for shoveling a load of crapware onto our computers.

Time to fight back

[bezuwork's+friend]

In America, you pay for the privelege to be spied on, infiltrated, and abused? wtf?

There is a concept in law called unjust enrichment. It is actually a very old form of action, but it is kindof not used as a lead claim usually. The idea under unjust enrichment is that the defendant received a benefit which is unjust for him/her to keep. The cool thing about unjust enrichment, if the court buys it, is the plaintiff can get disgorgement of profits.

I am writing a paper this semester on a theory to sue the spyware companies. I even talked to one of the leading attorneys in the US in class actions - involved in such suits as the one against DoubleClick.

All the cases for online profiling have failed so far under federal causes of action - the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the so called Wiretap Act. I'm thinking a better route might be with state level actions such as trespass to chattels and unjust enrichment.

That DoubleClick case was interesting. The judge accepted a settlement agreement. One thing stipulated is that it covered all people in the US who had a DoubleClick cookie on their computers before some date in 2002. The other, get this, is that the attorneys got $1.8 million for "reasonable fees".

Now, who wants to pick an online spyware company and try again? I'm damn serious. If a case succeeded, it could make a career.

Does this make Wiki or Slashdot illegal?

[LionKimbro]

It defines spyware as software that transmits personal information or computer usage data without obtaining explicit approval from the user.

So, that describes RecentChanges on a wiki.

Should we have a check box, that you must press, before each submit to a wiki?

What does this mean for Slashdot- does it transmit personal computer usage data when my name page shows the posts I've made?

Re: EULA's are sometimes illegal

[cbreaker]

Sometimes, well, probably many times, EULA's break the law.

Well, kinda. They contain rules that if enforced, would break the law.

Software companies put anything into EULA's and they know that half the stuff in them is likely not enforcable. But you'd have to go to court and have a judge decide; a luxery that most people can't afford.

Message of Unenforceable Laws

[Michael_Burton]

It would seem to me (IANAL) that it would be quite unenforceable, but may send the right message to spyware outfits.

If an unenforceable law sends any message, it is that laws can safely be disregarded. We all remember how Prohibition and draconian anti-drug laws helped to foster our current universal respect for law in the United States.

Computer != car

[rsilvergun]

Maybe this has already been pointed out (I'm too lazy to read the thread right now), but even a C-64 is an order of magnitude more complex (internally at least, not the UI) than most cars (not counting their computers), let alone the mis-matched hodgepodge of hardware and software that most people call 'My Computer'.

Oh, and if you start mucking around with you're car's internals, throwing in strange fuel additives (while the neighborhood kids pour sugar in the gas tank for good measure), and bolting on all sorts of accessories, would you expect warantee service?

********RANT***********

People expect too much for too little from their computers. It's a holdover from the days when only techies played around with 'em. Companies could offer free support because they didn't have to waste time/money on dumb asses who were either too afraid or too stupid to learn how their computers work. Not that companies are blameless. All you've got to do to outsell the other guy is say "Our computer's are easy to use and our support's always free". Sure, you do great for a while, then the idiots start calling, and you've got to do all sorts of nasty things to keep 'em at bay, and keep them from realizing you're blowing them off.

Do we really need new laws?

[ninti]

I would think the existing laws are plenty good enough, if they would just be enforced. The most recent spyware I got, from the truly evil people at coolwebsearch, came through a security flaw in IE, bypassing all my screwed down security settings, installed itself without asking me in any way, purposefully evaded the programs like spybot and adaware and hijackthis, and changed setting on my computer without my permission. This already breaks all kind of laws against hacking and viruses and who knows what else. Why not try and apply these laws first, then if they don't work for whatever reason, then create new ones.

Of course new laws, like the old ones, will have little effect anyway since this crap mostly comes from overseas.

As an aside, Spybot and Adaware don't catch everything, like the one I had. Another good tool for a windows sys-admin's arsenal is Hijackthis (http://www.spywareinfo.com/~merijn/), kind of a better and much more complete msconfig. It requires some more understanding to use correctly, but it will catch stuff nothing else will.

education, not legislation

[SanityInAnarchy]

The Internet functions like a jungle full of ninjas. If an unsuspecting user walks through there and gets assaulted by a ninja, her complaint might be "But that's illegal!" right before her head is separated from her body. In order to catch a ninja, you have to be a ninja -- you have to swing through the trees with the greatest of ease and slice his head off. To survive without being a ninja, you put on a massive suit of armor so that it's harder to slice your head off. It can still happen, though, so you need to know how to use your armor.

I'm being overly dramatic and overly metaphorical, so I'll make it simple:

You CANNOT stop spam, viruses, worms, phreaks, spyware, hacks, cracks, modchips, reverse engineering, social engineering, or DOS attacks by making them illegal. I'm not saying that all of them should be legal, just that our tax dollars should not go to writing laws about them.

You can ONLY stop these things by educating people on how to not get hurt by them. Because they are all a confidence game on the user's computer, and on the user themself, they can all be prevented, but only by intelligent users.

Our tax dollars should go to educating people about how to not get hit by these things. Every school should be given funds to educate children in such things as programming/scripting (the basics of which go hand-in-hand with what they're learning in math), security, the basics of how to generally use software (like how to use any email client, not just Outlook Express or Hotmail) as well as things like open source/Linux (teaches them something they can take home without begging mommy and daddy to spend $20-$200 on a new piece of software)...

Even outside of schools, people should know that you don't just go download some new piece of software just because it looks cool and some friend told you about it. You go online and look it up, find out how many people are using it and what they think of it, whether the company that made it is trustworthy, whether there's an open source alternative, and so on. If you still want to try it and it doesn't look trustworthy, you run it in an untrusted user account, throwaway wine setup, chrooted environment, usermode linux, or throwaway computer.

People should know what a web browser / email client is and why you need to use one that is standards-compliant and secure. They should know how to set up sandboxes to play with potentially unsafe stuff. They should know how to use PGP, or at least why they care. They should know that it doesn't matter who they are or how unimportant their stuff is, someone wants to break into their computer, especially if it's easy.

What's more, We have the money. We just have to spend it on the right things.

following up...

[SanityInAnarchy]

Sometime, when I'm not as annoyed, I'll write an open letter to my congressmen about this. Naturally, I will continue to send the letter saying "you did not read my letter" if I get a form response saying something like "We are aware of the issues about Linux" when Linux was only a side issue.

There's a difference...

[rsilvergun]

between a doctor and a computer programmer. I can choose to live without the services of a computer programmer. The doctor's services, on the other hand, I would categorize essential. But I think you'll find that in situations where software is essential for human life (such as you described above), there is liability involved. That's why those kind of devices cost tens of thousands of dollars. So in short, if your mother doesn't like it, she can just stop using the computer. It's not as though her life's going to be shortend by doing so. People need to take responsibility for their computers, or else alleviate themselves of it.

Oh, and that splash screen you mentioned, that's more or less an abbreviated EULA.

Re:There's a difference...

[eclectro]

A simple splash screen is far different than pages of who-knows-what legalize that you are forcing on somebody.

One can be considered a notice, while the other is an implied contractural agreement (though it is quite legally questionable).

doctor's services, on the other hand, I would categorize essential. But I think you'll find that in situations where software is essential for human life (such as you described above), there is liability involved. That's why those kind of devices cost tens of thousands of dollars.

You're the one that chose the example of Doctor's malpractice insurance in your earlier post. But you are right, that is why those systems are expensive.

So in short, if your mother doesn't like it, she can just stop using the computer.

So in short, you are saying that it is ok for companies to foist crappy and defective products on unsuspecting consumers?

It's not as though her life's going to be shortend by doing so. People need to take responsibility for their computers, or else alleviate themselves of it.

If that isn't "blaming the victim" I don't know what is. So, you would rather my mother accept either having porn trojans on her computer (or stop using it) rather than Microsoft take care of their security problems in the first place?? Is it "ok" that companies can make defective products and sell them to the public??

I think years of consumer legislation that improves the quality and safety of products (from cars to baby toys to food) speaks for itself. It's just that it hasn't reached software yet because people like you are all too willing to roll over and accept whatever the corporations want to sell them.

It's not like Microsft can't make a secure product. They have more money in the bank than most third world countries.

Your arguments are sounding increasingly silly. Don't defend the guilty.

Apparently you have never been a sysadmin.

[Viewsonic]

Wiping someones machine because of Spyware can lead to losing IT peoples jobs. It is their duty to walk through fire to keep their clients machines tip top, virus free, spyware free, and running as close to 100% as possible. Even if the client is the dumbest person on the planet, and surfs hazard sites - It isn't the point, nor their problem. At the end of the day its on you watch, and you have to make sure you keep it working despite any problems they might encounter. If they lose their settings and it upsets them, it'll go up the chain until it comes back down to you and your job.

That said, blocking sites at the firewall, setting up filtering servers, and everything else doesn't work 100% of the time. We've invested nearly $100,000+ in various security measures and our clients STILL get this spyware crap all over their machines. These sites and programs change faster than people finding them can block them. Even the most high end dedicated packet filtering systems with hourly subscription systems can't catch all this crap. It's a freaking MESS. And we're the ones who have to deal with it all in the end, or its our ass on the line when the execs who pull in $100k a day in deals lose thousands for being offline for just 10 minutes.

let's put it like this...

[demonhold]

...just imagine someone putting a tracking device in your clothing that informs advertising agencies, thieves and robbers what your daily habits are, where do you go, how long do you spend there and what stuff do you read, listen to and speak to, what people do you meet, and not only what do you buy but what did you intend to buy checking your shopping list....

I don't the situation there in America, but here in Spain and in most of the EU, that block would end up in jail for a least a good ten years... besides the fine would be astronomical...

did anyone else catch this?

[krewemaynard]

6. "Intercepting or accessing of an electronic communication" and "intentionally intercepted or accessed" mean the intentional acquiring, receiving, collecting, overhearing, or recording of an electronic communication, without the consent of the sender or intended receiver there-of, by means of any instrument, device or equipment, INCLUDING THE USE OF KEYLOGGING COMPUTER PROGRAMS, except when used by a telephone company...in the ordinary course of its business or when necessary to protect the rights or property of such company."

any thoughts on waht implications this might have for progs like ettercap or ethereal?? is it too paranoid to imagine a netadmin being sued by a foremer/disgruntled employee for monitoring network traffic?

--krewe

Apparently I don't work at a Luddite company

[Safety+Cap]

Where I work, it takes 1 hour to deploy a new machine, from pulling it out of the box, to dropping it on the person's desk. Ditto for someone's machine getting fried. Our techs do not diagnose strange software problems, because our desktop load is SOLID. We spend our time MAKING THE BUSINESS RUN BETTER, not doing inefficient work like spending hours trying to figure out why Winfax doesn't send, or grabbing a stack of CDs when someone needs a new computer.

Obviously, I could never be a sysadmin at your shop, because I would make some people look like the clods they are when our uptime approached 99.9 or better.

We've invested nearly $100,000+ in various security measures and our clients STILL get this spyware crap all over their machines.

Sounds like your sysadmins are the ones who should lose their jobs for costing the company over $100,000 for implementing a solution that doesn't work plus the cost of cleanup.

~ its [sic] our ass on the line when the execs who pull in $100k a day in deals lose thousands for being offline for just 10 minutes.

When you move up to the big leagues (i.e., potentially losing thousands, if not millions of dollars in a matter of minutes due to a poorly-executed transaction, then maybe you'll see that whining "we can't tell the users we have to wipe their machine because it is non functional due to spyware!" doesn't work. Then again, that requires buy-in from the boys up top. If you haven't sold them on the opportunity cost (and savings), then shame on you.