Slashdot Mirror
FTC Officials Wary of Spyware Measures
Nofsck Ingcloo writes "News.com is reporting thusly:
'Two Federal Trade Commission officials ignited a political firestorm on Thursday by criticizing proposed laws targeting spyware and suggesting that the measures might harm legitimate software products, too.' During an appearance before a House of Representatives panel, FTC Commissioner Mozelle Thompson said the measures were the wrong approach to spyware and adware. Basically he is advocating a 'don't throw the baby out with the bath water' approach."
According to a search on Lexis/Nexis (paid search; subscription required) Claria Corporation donated $10,000 to Mozelle Thompson's campaign and WhenU.com donated $20,000.
This shall not stand. I'm prepared to take action.
I'm not Seth Finkelstein. I still speak the truth.
-
The FTC representatives countered by saying that while they were "outraged" by spyware, a careful approach was necessary. In addition, during an FTC workshop last week, a prosecutor noted that the Justice Department already had sufficient legal authority under existing computer crime laws to put the most noxious spyware makers in prison.
If this is true then why aren't they? There are certainly several spyware products "noxious" enough to warrant a prosecution. Sounds like a bluff to me.While I understand the FTC needs to protect legitimate business interests along with consumer's interests, this is ridiculous. Yes there may be difficulty in wording the bill so that it doesn't hinder legit software, but that's something that can be resolved. Self-regulation sure as hell isn't going to work, the adware and spyware companies have shown little to no restraint in doing whatever they damn well please.
Don't believe that last sentence? Just check out how they all claim you have to opt-in to their software, that it's never installed without your permission. Then check out the ad/spy-ware infected software installs and see if they warn you about them. I've yet to see a warning when one of the buggers shows up, and I do read the info during my software installs.
And finally, just try to remove one without a 3rd-party utility, they're nearly impossible to remove. That alone makes them trespassers to me, since you can uninstall them but they're still partially there, cluttering up your hard drive and mucking with your OS.
Yes but I shouldn't have to "get rid of it." It shouldn't be installed in the first place. Most install programs with options have little checkboxes or something and you could add a checkbox saying something like "Add software tracking software" or something to that effect. Allow me to uncheck it if I don't want it. Also make it easy to uninstall. I shouldn't have to download a seperate program to uninstall it. (or even detect it)
On the other hand, the spyware, the automated pop-up programs, etc... these need to outlawed and the "companies" that make money by hijacking information need to be dealt with.
Agile Artisans
What's funny is that the Trade Commissioner listed after Mozelle on this page is named "Orson Swindle."
Orson Swindle spent six years being tortured by the North Vietnamese in a Hanoi prison. He came back from that without breaking and with his honor intact - I suspect he's a little beyond being bribed than the average whining slashdotter could even understand.
I can see his point... if the user is asked for a blanket permission at the start of the install then it negates the purpose of asking permission for the spyware components but if each individual program asks permission, it would take all day.
Wahh!
big fricking hairy deal. you tell me exactly what your crud does. if your software is so poorly written to require hundreds of "helper" apps then you need to be exposed as someone up to something or with really poor skills.
at a minimum.. the EULA needsto have a FULL DISCLOSURE section listing exactly what each thing does, where it reports to and what it collects.
that would solve the problem instead of playing the scumbag game that these "helper" apps are doing.
They can go for more generic terms, such as "applications that do not substantially affect the primary purpose of the software" or something like that. Or possibly just include all applications provided by a third party, or all applications intended primarily for advertising.
Full disclosure when software programs spy on the user. If Microsoft is doing this, they should stopped. I don't see what your problem with this is.
Some sensible regulations:
1. ALL seperate programs not fully integrated into the main program have to have a seperate EULA.
2. Software must come with an uninstaller that completely removes ALL elements packaged with the program.
3. "Phone Home" spyware must include in the EULA a list of exactly WHAT data it sends, and what protocals and ports it uses to do it.
4. Spyware makers MUST have provisions to comply with COPPA, and not collect information on persons under 13 (the killer nuke regulation, one Gator can't possibly comply with, but one they could be prosecuted for RIGHT NOW)...
Corporatism != Free Market
"Nobody is forcing people to install this software; people agree to install it themselves."
Bull!!!
I've a twelve year old developmentally disabled child who surfs wesites such as Disney, Cartoon Network, Goosebumps, Warner Brothers etc.
A recent cleaning with Adaware and Spybot Search and destroy revealed over 150 instances of spyware on his computer including one goofy search toolbar which prompted the most recent cleaning.
Do you think he agreed to install this shit on his computer? Most of the time I can't get him to agree to take a bath. Quite frankly, I think these kid friendly sites need to clean up their act or face some consequences.
They all have these nifty little games, wallpapers, movie trailers, along with, Gator, Claria, and tons of spyware children have to install to view or play the content.
While the majority of the American public lacks the critical thinking ability to be able to consider the far reaching implications of their actions there are a few people, hopefully in positions with real capability of impact, who can see the problem for what it is. The average American doesn't realize the full power vested in a web browser that integrates tightly with the operating system. Most Americans don't realize what kind of trouble they're getting themselves into when they demand that their web browser be able to directly access their sound card, or their video card, or integrate seamlessly with apps on their system so that everything seems to be running inside the browser window as if the browser _were_ the operating system. These citizens clamor for functionality and then clamor for security. It is possible to have both but the price is in learning or in cost and both of these are unacceptable to the popular citizenry.
People in general, and Americans in particular, are obsessed with the mantra of "do something". Perhpas it has been beaten into our culture from the WW-I and WW-II era old hardtimers who felt the indignance of being marched off to war and then watch their subsequent generations enjoy profit without the pain of shell-shock or watching best friends get riddled with bullets. Whatever the reason the American society seems to be unable to enter into a state of natural flux--ebb and flow. Instead American society is stuck in a full steam ahead approach to everything. Refinement means nothing and progress means everything. The definition of progress is addition and more addition. The component of progress that involves improvement has been swamped by the "do something" drive to add more.
Adware and spyware have come about because the operating system and web browser which appeals to the popular citizenry has given them what they want. It has given them more and more and more as they asked. When the problems arose that, in a normal system, would have encouraged refinement and improvement, the users demanded more and more and more. This resulted in EULAs. EULAs made it possible for the software industry to concentrate on giving the users what they want: more. EULAs made it possible for software manufaturers to be free and clear of the necessary refinements and improvements which could have made adware and spyware obsolete before it ever started.
The approach to this problem is not to pass more laws. That approach does nothing but feed the "do something" attitude which has brought us to the quagmire of today. The approach to this problem is to refine and improve what we have. We need not to add more laws but rather to remove the artificial laws which give umbrella protection to less than optimal designs.
+++ATHZ 99:5:80
I agree totally. There's nothing inherently wrong with adware. The term simply means software that is supported by ads. The free version of Opera is adware even.
You want to pass a law that criminalizes something that's not even defined? Klerck is right about this being a very slippery slope, but even more than that, I just think that they won't be able to come up with a definition that actually covers malware without affecting other "legitimate" software as well. If you refer to the data collection aspect, that could include a lot of companies who happen to collect some of your data for some purpose, even if their privacy policy matches your ideal definition. Most likely, a law for this would just lead to another paragraph in the program's EULA detailing exactly what data it sends where (many already have this info) or another question to answer, but since nobody reads the EULA and just click on every Yes button anyway, it won't actually have any effect on the end result.
These programs do offer some additional value to the user, though it's often something menial. True to the capitalist system, your payment for their service is that they collect data on you to sell to advertisers or whatever. You get something in return for giving them something. Even though most people probably wouldn't find the software worth the cost if they stopped and thought about it, there's nothing that inherently makes this software any less valid than any other piece of software.
Barring bugs in your software, just pay attention to what you install and you won't have problems. When I see a page in a setup program that asks if I want to install Gator too, I uncheck the box or click Cancel. I don't click yes to every popup I get. My parents don't even have a problem with spyware. (Hint: There are browsers available that aren't littered with remote execution bugs and don't automatically run every program they come to. That's a good start to keeping this stuff off your computer.) If they're using software holes to install themselves without your knowledge, then they're probably in violation of some clause in the DMCA, and already illegal. Making more laws that can't be and/or don't get enforced always solves problems, right?
Many can be uninstalled just by using the Add/Remove Programs tool. If so many people want to take it off, how come I find so many computers where it could be removed with a few clicks, and isn't?
I can monitor what data a program on my computer accesses. It's not real easy to sift through all that information, but it's available if I want to use it. My firewall blocks outgoing transmissions unless I authorize them. I honestly don't care if there are a million programs on my PC spying on me, because the information doesn't leave my computer.
I don't think it gets any simpler than that. That's the sort of laws that we're looking at. Either they're going to have loopholes so the intended software can get around them, or they'll be so broad as to outlaw all data transmission over the internet.
There shouldn't be "hundreds" of programs in Office potentially sending out your info over the Internet. Each and every one of them is a security hole. Have we learned nothing yet about secure software?
Shouldn't spyware already be covered by laws against spreading viruses? Spyware is software installed on my machine without my knowing it, and this is exactly what happens when a virus spreads. What's the difference?
When it's distributed by a business, it's called spyware, and when it's distributed by a 14-year-old, it's a virus. Is this asinine or what?
Users cannot expect to be able to live without a clue if they want to use the Internet. Some basic level of understanding of their system and the evil people out there is necessary. That's why I keep saying that Internet usage should be licensed, just like Ham Radio usage is today.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I actually like microsoft's approach in IE - it tells you the signer of the app (if any), and gives you info on who's giving you the software. It lets you know exactly who's trying to install what on your machine. True, 90% of the time it's crap, but 10% of the time it's something genuinely useful.
Take DirectX out of the install package? Do you know how many calls to their CS that will cause? People are dumb - they don't read install notes (heck - on windows you don't have to). Also, an installer for a game should install the game on your machine, including everything it needs. It should be a two-clicks-and-youre-playing scenario, not a multiple-application approach to installing software. Windows users are used to minimal fuss when installing, and rooting around CDs for software you need to install is pointless (especially when most people will end up running the same apps in the same order, anyway).
It's false security. Moving DirectX/etc out of the install package just causes people to run them from different locations. If they had spyware in them, they'd still be installed on most computers. All you've succeeded in doing is making the install procedure more complicated and time-consuming. The same amount of machines will be tainted, regardless.
Hear hear.
No more unremoveable spyware...
...and as an added bonus, the ability to easily ditch IE and WMP.
Tiggs
"120 chars should be enough for everyone..."
I had an oppertunity to drive one of our state representatives around for a weekend. And one of the things that I came to understand is how incredably difficult it is to write legislation, that does what it is supposed to, only does what it is supposed to, is applied by procesecutor's that are too zealous and too lax and is not ripped appart by judges that are too conservative, liberal or senile.
It's kinda like writing a program that has to be bug-free on release, the spec's change constantly and the whole QA department is at a seminar the last week of production.
Slow and careful can be good, it's not like there isn't good antispyware software out there for free. Personaly I use Spybot S&D it's free as in beer, no cost, exceptS donations. You can find them at www.safer-networking.org.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The FTC is off their rocker. What legitimate software out there is unable or unwilling to comply with this legislation? Seems to me that simply notifying the customer of the exact actions of the software and making removal of the software a normal process would be sufficient. When I load software, and it includes components that may contact a website and send information, I want to be told this and EXACTLY what will be sent and choose yes or no to this specifically. A good example is WinAmp. After installation, I was asked to register and decide if I wanted usage information to be sent periodically. Self-correction has never worked with slimy businesses. The good businesses do change so that the distinction is clearer (no good business wants to be seen as slimy). However, the slime won't stop until it is made difficult to impossible for them to proceed.
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
Spyware -- software that piggybacks on other software and masquerades itself as something relevant, hoping you won't notice.
How ironic would it be if the house of reps outlawed spyware, and inadvertently made it illegal to tack "riders" onto House Bills.
IDNRTFA. 0:-)
One could make an argument the because a body scientific knowledge is available about the safety of food products, there is no need for the FDA to regulate our food supply. Why, we could all just become our own food safety experts and train ourselves to watch what we eat very closely so we don't ingest toxic substances, right?
You say you base your argument on practicality, but is it really practical for everyone who owns a PC to become experts at getting rid of spyware? Is that possible? I know some very intelligent people and they lead lives outside of the universe that is their home computer. They don't have the time or the interest to learn about spyware or how to get rid of it. They aren't going to devote time to thinking about administrative privileges and they've got teenage sons and daughters that click on every popup window just to see what happens. Don't people have enough to worry about these days? Why should every single person who owns a PC have to go out of their way to guard against a few assholes that want to secretively install software on computers to make a buck? It is not, as you propose, a practical solution nor an efficient one, and it won't work. All your solution will do is cause countless hours upon hours of lost time and frustration from people with computers are gummed up with bullshit.
Rather than have everyone fend for themselves, it's much more efficient if there are rules and guidelines hammered out in a democratic fashion. Sure, some people will get their feet stepped on, but that's democracy and it requires compromise. No one said regulation will produce utopia, but it will keep chaos at bay. As much as we'd love to have control over every aspect of our lives, it's just not possible, especially in a complex society.
---Technology will liberate us if it doesn't enslave us first.
-NOT MAKING ORDINARY USERS ADMINISTRATORS! (usually do to laziness because some lame app written for win95 don't work and the 'IT guy' doesn't know how to change a reg permission).
Ok. In almost all cases, not necessary for spyware.
-Centralized, automatic, forced software upgrades.
"CEO Smithley? Yes, this is CFO Barker. Well, I was just working on my Excel numbers for our shareholder presentation, and my machine rebooted when I went out for a cup of coffee and I lost all my work. IT says something about "security holes", and how they won't stop doing this. Can we just get rid of that new CIO? He's been a pain in the ass since he got here."
-Using a "bare minimum to do what I need to do" model for security access
Sounds great. Not real practical except in the presence of competent security admins to define "what needs to be done". Not a lot of those floating around.
-Firewalls that block certain *outgoing* access as well as incoming
Useless, because of the "IE hole". IE essentially has to be allowed free access, and it's easy for applications to request IE to send data over the network. There are a ton of vectors to use.
-Disabling, not installing, etc. software and services that are unneccesary. (again, frequent IT ignorance here. Idiots who don't know anything about software installation other than to select
And you've got everything locked down and then something comes along that needs to use Active Directory. Uh, huh.
-Some modicum of Blocking/Blacklisting/etc. access to sites/services that are known to be nothing but viruses, spyware, etc.
Not a reliable blocking mechanism, and probably done by many companies.
-Education, education, education. e.g. "No Ms. Jacobs, you should not click yes to the Bonzi Buddy installer." or "No, Mr. Harris, you should not type your local network password into that website's Java popup window just because it is asking for it.
I agree that this can be done with some things, but training is expensive, and things that are obvious to someone with years of experience in the computer industry may not be to Joe User.
-A well thought, clearly-defined acceptable use policy that is enforced - including termination for serious violations
Yeah, firing a leading salesman because he clicked "OK" in a Bonzi Buddy dialog is going to go over *real* well with upper management.
There are a couple issues here.
(a) Microsoft has made many extremely poor decisions WRT remote control over the local computer. Outlook hands email off to a full-blown HTML renderer, MSIE allows to be communicated with in many ways, is tied tightly into the OS, allows popups, has been used to push ActiveX and the like. Windows runs a number of network services out of box (and Microsoft treats the solution to the exposure of their poorly-designed-from-a-security-standpoint set of on-by-default Windows networking stuff as IP-based firewalling). Many folks are stuck with this (barring something extreme like switching to Linux, which is frequently not an option). A quick change to some policy will not fix these problems.
(b) Spyware vendors are smart and computer systems are complex. I won't bet on the ability of Joe User to avoid being gulled by SpywareCo programmer Mike Assmunch.
(c) Windows does not provide good tools for analyzing what programs are doing. Linux does not provide good easy-to-use tools.
(d) Personal computer OSes (Windows, classic Mac OS) are designed around easy configuration and administration by users rather than operating like a kiosk.
(e) Users value features and performance over security (which is really hard to see and measure, anyway...most people that "sell security" in a way that can be understood by the end user are selling the illusion of security -- personal firewall vendors, Verisign in general, etc)
May we never see th
Government regulation to solve a problem that can be solved with a technical solution is no more desireable.
Blame Microsoft for poor security policy and placing a low priority on keeping the user in control of their system, not on the FTC failing to make a law.
Almost all other OS vendors have placed a high degree of emphasis on keeping the user in control of their system. Apple forbid software following the HIG to do anything based only on cursor movement, for instance -- the idea is that the user should never feel that he is not in control of what's going on. ActiveX and unblocked popups are an artifact of Internet Explorer. The fact that IE provides a huge loophole for malicious applications to use to slip through firewalls is due to the fact that MS considered the political benefits of them to insinuating MSIE throughout their OS outweighed the benefits to the user of having a secure system where they could easily monitor and control what was going out. MS has no problem with broadcasting the computer name, logged-on-user's name and such information to the world at large via the Windows networking system MS was less worried about execution of active content in emails than about the security implications to users of doing so -- the idea was that "security is hard to sell to a user, so we won't worry about it." The few times that they have "sold security", it's frequently a load of bullshit that has little to do with real security, like driver signing or DRM. Windows suffers from fundamental API security problems like the Shatter attacks. Currently, it may actually be that market pressures are making them honestly wish that they had done something different, but they have a thoroughly worm-eaten structure from a security standpoint now -- many of their decisions cannot be taken back, and many others would be phenomenally expensive to do so. Their lack of concern for security has made many third-party vendors in turn feel that application security is unimportant, and exacerbated the problem. I've heard some great horror stories about internal Microsoft development security practices. If the OS vendor does not provide a solid, secure foundation and set a good example themselves, nobody else does. Windows just does not have a culture of caring about security, and it has come back and firmly bitten some asses (to the great satisfaction of those of us who have been vehemently arguing that Microsoft should place security more highly and limit trust of remote websites to control the local machine all along).
May we never see th