Slashdot Mirror
FTC Officials Wary of Spyware Measures
Nofsck Ingcloo writes "News.com is reporting thusly:
'Two Federal Trade Commission officials ignited a political firestorm on Thursday by criticizing proposed laws targeting spyware and suggesting that the measures might harm legitimate software products, too.' During an appearance before a House of Representatives panel, FTC Commissioner Mozelle Thompson said the measures were the wrong approach to spyware and adware. Basically he is advocating a 'don't throw the baby out with the bath water' approach."
he gets from these so-called "software companies" in contributions?
Heave the "baby" out with the bathwater. Spyware is called spyware because of what it is. There's no mistaking a legitimate program that user chooses to install. In my opinion, if the user knows its being installed than its not spyware. If the user doesn't fully know whats being installed than it is spyware, and that type of software should be chucked out with the bathwater.
http://github.com/gbook/nidb
-
The FTC representatives countered by saying that while they were "outraged" by spyware, a careful approach was necessary. In addition, during an FTC workshop last week, a prosecutor noted that the Justice Department already had sufficient legal authority under existing computer crime laws to put the most noxious spyware makers in prison.
If this is true then why aren't they? There are certainly several spyware products "noxious" enough to warrant a prosecution. Sounds like a bluff to me.While I understand the FTC needs to protect legitimate business interests along with consumer's interests, this is ridiculous. Yes there may be difficulty in wording the bill so that it doesn't hinder legit software, but that's something that can be resolved. Self-regulation sure as hell isn't going to work, the adware and spyware companies have shown little to no restraint in doing whatever they damn well please.
Don't believe that last sentence? Just check out how they all claim you have to opt-in to their software, that it's never installed without your permission. Then check out the ad/spy-ware infected software installs and see if they warn you about them. I've yet to see a warning when one of the buggers shows up, and I do read the info during my software installs.
And finally, just try to remove one without a 3rd-party utility, they're nearly impossible to remove. That alone makes them trespassers to me, since you can uninstall them but they're still partially there, cluttering up your hard drive and mucking with your OS.
Basically he is advocating a 'don't throw the baby out with the bath water' approach."
In this case the baby is green, has 10 eyes, keeps track of your every move, spits in your face with ads, and is guaranteed to wreck your house.
So you do toss the baby out with the bathwater. Otherwise you have a monster on your hands.
Some call him Gator
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
I'm not sure I fully agree with your description of the problem, but I think you're mostly right here.
Any attempt to describe the injustice in a foolproof way will only (or probably only) assert heavy restrictions on valid software. Any attempt to prove that the software was "granted" permission by the user will result in deeply-hidden and cleverly-worded explanations of what the software is doing. The same folks that are susceptible to it today will still be susceptible in the end.
::jafomatic
Voulentary Self-Regulation by industry=Popular Republican political strategy. Basically a neat way of pretending to do something while actually ignoring the problem.
Only to idiots, are orders laws.
-- Henning von Tresckow
There's no baby in the bathwater of ActiveX installs. There never was. Who needs software installed directly from the web browser? Legitimate installer programs are easy to come by, and most people who are able to go out and search for the software in the first place are smart enough to get it downloaded and installed.
There is a problem in preventing "Third party installations" from being included in the installers, as many games and legitimate tools have come to rely on DirectX, Quicktime, and Rad Game tools. But there is no necessity to include them as part of the installer itself. Meerly make a note in the installer that you need to install these utilities too and that they are included on the cd or in a setup directory.
When life gives you crap, Make Crapade.
Sluggy Freelance.
On the other hand, the spyware, the automated pop-up programs, etc... these need to outlawed and the "companies" that make money by hijacking information need to be dealt with.
Agile Artisans
Personally i regard spyware and adware the same way i regard rootkits. The machines real users mostly dont know there there, they are using my computing power and bandwidth to provide service to some other person who is using the access to my computer to gather information about me and use this information to target me with traffic i neither like or want, and in some cases, hijack *my* internet services.
I personally dont particularly like adverts on web pages, but i can see they are needed on some sites that can only survive by the revenue they generate.
The fact that theftware (I think this is a reasonable description of programs which steal my bandwidth and steal others advertising space) such as Gator *steal* (And i cant think of any other way of describing this) the advertising space, paid for by companies that are *supporting* some of the websites i view, strikes me as the most dodgy tactics imaginable, and i hope these companies go broke.
If there isnt a law covering this disreputable activity already, i hope we get one soon.
We have regulations on what people can and cannot do with private property, why should an online computer be treated differently ? Oh yeah, they flash a so called licence agreement to the user just to be on the safe side of the law, that you dismiss by either clicking yes or no (read the very fine prints). That is unnacceptable. Any program installing on a computer should clearly show how to exit the installation process, and better, unsollicited installs should be banned altogether. I'm talking about thoses occuring when you just load a web page. You never asked to install anything, or never wanted to do so, yet something asks you install it, often in a deceptive manner.
This shouldn't be too difficult to pass such a law, and legit businesses will adapt very well. As a matter of fact, legit businesses already have adapted : a clear warning or information page with a link to the install program. Plain and simple.
*End Users* do not gain any authority by the fact that they can sit at a keyboard.
Doesn't matter if it's a 12 year old kid at your keyboard in your house, and it doesn't matter if it's a secretary in a 500 person company. Neither of these people have the authority to consent to anything, especially binding agreements (and contracts, which is how the s/w industry would like their EULAs treated).
All this crap does is legalize social engineering. Think about it.
help me i've cloned myself and can't remember which one I am
I love spyware, the more machines infested with it the better. Users get fed up with all the pop ups and machine stability problems. I either get money to remove it or it becomes amazingly simple to convince these people try Linux. It also had a dramatic effect on overall TCO of the environment. I work in a mixed environment windows and linux desktops. The windows side takes three to four times the amount of maintenance because the support guys spend at a minimum 70% of their day cleaning machines.
Got Code?
At the least, there should be a law requiring all installed programs to show up in the "Add/Remove Programs" dialog and actually remove themselves when told to do so...
This should be OPT-IN only, just like SPAM should be. It has to clearly state what it is and what it does, ie, it snoops and reports your every move whilr browsing and targets ads at you based on this. It should also be required to ask permission to install.
Any thing less and it should all be illegal, with large fines and loss of internet connection for that company, for 5 years. If that closes them down, so freakin what!
Professional Politicians are not the solution, they ARE the problem.
This is typical privacy nut FUD. For example, Gator only has EIGHT eyes, and he can't possibly keep track of your every move because sometimes he's slowing down your internet connection when he secretly downloads ads, and other times he's busy crashing your computer. Do you really think he can download ads, crash your computer, AND track you all at the same time?
Yeah I didn't think so tinfoil man.
Never confuse volume with power.
-
This is a slippery slope, people. You can make something illegal just because you don't like the idea of it. If people are installing this at-will, then there is nothing morally or ethically worng with it.
This is a rather optimistic view of things, I take it you've never run afoul of much ad/spy-ware. The issue isn't so much software that people willingly choose to install (although Gator and some others don't really warn you fairly about all the popup ads you'll be getting as a result) but about software that installs itself piggy-backed onto other software without warning. Most spy-ware especially is like this. Even once you find out it's there, getting rid of it takes an act of God, or at least 3rd-party software. Why? Because at best the company only provides a broken uninstaller, normally there is no uninstaller. Add in the fact they often don't show up under add/remove programs (let's face it, this is primarily a Windows-land issue) or even under program listings, and you have software that is NOT even trying to act like it's a legit install.The only 'spyware' that is problematic is the kind that installs itself by exploiting software bugs in browsers, and that is already illegal: it's called a virus.
So sorry, this isn't a slippery slope, this is about making the software companies that put this crap out start playing nicely and acting like good citizens of the online world, as oppossed to their current shady, back-alley actions.
The point is this: no legitimate software should install something that you don't want, period. Ads I can agree with, people gotta eat, but Spyware is showing complete disdain for your userbase and really insults them. That would be like a car dealer giving you a free car, equipping it with GPS, slowing down the engine, making it run like crap, installing a hidden camera, and then slashing the tires. Spyware companies are not very well known for following the law, so one would hope this does not provide loopholes and ends up legitimizing Spyware, as is happening with SPAM.
I hate sigs.
You people should be ashamed of yourselves. These people have the right to make money like everyone else!
This is the most common fallacy I see in today's political atmosphere. No one has the right to make money and the government's job isn't to make sure people with crappy ideas or products no one wants stay in business.
Newsflash to programmers: If people will work cheaper than you they will get your job.
Newsflash to farmers: Some crops don't grow well in some states.
Newsflash to RIAA: No one NEEDS you anymore, Musicians can produce without you and we can sure as hell distribute without you.
Newsflash to Unions: See Newsflash to programmers
Never confuse volume with power.
Is this any different from lawmakers doing things to protect the auto, oil, media, etc industries? They have an interest, because these companies pay for campaigns. They don't try to force down gas prices, they don't force too many radical automobile innovations, they don't try to keep cable prices down (except for token, known to be worthless, efforts)
I don't know of any spyware makers big enough to support politics, but who knows. Maybe Time Warner, or GE owns something we don't know about.
Just a thought.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
About a particularly nasty form of spyware.
When I am king, you will be first against the wall.
Nice troll.
For those who don't know what new.net is about, it's basically a company which offers custom domains. Their spyware installs a layer which takes over all DNS resolving and redirects it to their servers.
A housemate of mine got infected with New.net. He could no longer log in to the university network, because Internet access was not allowed until logged in and thus the request to resolve the domain name of the log-in server could not reach new.net. This is what happens when stupid people write software without considering all scenarios.
"Nobody is forcing people to install this software; people agree to install it themselves."
Bull!!!
I've a twelve year old developmentally disabled child who surfs wesites such as Disney, Cartoon Network, Goosebumps, Warner Brothers etc.
A recent cleaning with Adaware and Spybot Search and destroy revealed over 150 instances of spyware on his computer including one goofy search toolbar which prompted the most recent cleaning.
Do you think he agreed to install this shit on his computer? Most of the time I can't get him to agree to take a bath. Quite frankly, I think these kid friendly sites need to clean up their act or face some consequences.
They all have these nifty little games, wallpapers, movie trailers, along with, Gator, Claria, and tons of spyware children have to install to view or play the content.
While the majority of the American public lacks the critical thinking ability to be able to consider the far reaching implications of their actions there are a few people, hopefully in positions with real capability of impact, who can see the problem for what it is. The average American doesn't realize the full power vested in a web browser that integrates tightly with the operating system. Most Americans don't realize what kind of trouble they're getting themselves into when they demand that their web browser be able to directly access their sound card, or their video card, or integrate seamlessly with apps on their system so that everything seems to be running inside the browser window as if the browser _were_ the operating system. These citizens clamor for functionality and then clamor for security. It is possible to have both but the price is in learning or in cost and both of these are unacceptable to the popular citizenry.
People in general, and Americans in particular, are obsessed with the mantra of "do something". Perhpas it has been beaten into our culture from the WW-I and WW-II era old hardtimers who felt the indignance of being marched off to war and then watch their subsequent generations enjoy profit without the pain of shell-shock or watching best friends get riddled with bullets. Whatever the reason the American society seems to be unable to enter into a state of natural flux--ebb and flow. Instead American society is stuck in a full steam ahead approach to everything. Refinement means nothing and progress means everything. The definition of progress is addition and more addition. The component of progress that involves improvement has been swamped by the "do something" drive to add more.
Adware and spyware have come about because the operating system and web browser which appeals to the popular citizenry has given them what they want. It has given them more and more and more as they asked. When the problems arose that, in a normal system, would have encouraged refinement and improvement, the users demanded more and more and more. This resulted in EULAs. EULAs made it possible for the software industry to concentrate on giving the users what they want: more. EULAs made it possible for software manufaturers to be free and clear of the necessary refinements and improvements which could have made adware and spyware obsolete before it ever started.
The approach to this problem is not to pass more laws. That approach does nothing but feed the "do something" attitude which has brought us to the quagmire of today. The approach to this problem is to refine and improve what we have. We need not to add more laws but rather to remove the artificial laws which give umbrella protection to less than optimal designs.
+++ATHZ 99:5:80
I agree totally. There's nothing inherently wrong with adware. The term simply means software that is supported by ads. The free version of Opera is adware even.
You want to pass a law that criminalizes something that's not even defined? Klerck is right about this being a very slippery slope, but even more than that, I just think that they won't be able to come up with a definition that actually covers malware without affecting other "legitimate" software as well. If you refer to the data collection aspect, that could include a lot of companies who happen to collect some of your data for some purpose, even if their privacy policy matches your ideal definition. Most likely, a law for this would just lead to another paragraph in the program's EULA detailing exactly what data it sends where (many already have this info) or another question to answer, but since nobody reads the EULA and just click on every Yes button anyway, it won't actually have any effect on the end result.
These programs do offer some additional value to the user, though it's often something menial. True to the capitalist system, your payment for their service is that they collect data on you to sell to advertisers or whatever. You get something in return for giving them something. Even though most people probably wouldn't find the software worth the cost if they stopped and thought about it, there's nothing that inherently makes this software any less valid than any other piece of software.
Barring bugs in your software, just pay attention to what you install and you won't have problems. When I see a page in a setup program that asks if I want to install Gator too, I uncheck the box or click Cancel. I don't click yes to every popup I get. My parents don't even have a problem with spyware. (Hint: There are browsers available that aren't littered with remote execution bugs and don't automatically run every program they come to. That's a good start to keeping this stuff off your computer.) If they're using software holes to install themselves without your knowledge, then they're probably in violation of some clause in the DMCA, and already illegal. Making more laws that can't be and/or don't get enforced always solves problems, right?
Many can be uninstalled just by using the Add/Remove Programs tool. If so many people want to take it off, how come I find so many computers where it could be removed with a few clicks, and isn't?
I can monitor what data a program on my computer accesses. It's not real easy to sift through all that information, but it's available if I want to use it. My firewall blocks outgoing transmissions unless I authorize them. I honestly don't care if there are a million programs on my PC spying on me, because the information doesn't leave my computer.
I don't think it gets any simpler than that. That's the sort of laws that we're looking at. Either they're going to have loopholes so the intended software can get around them, or they'll be so broad as to outlaw all data transmission over the internet.
Shouldn't spyware already be covered by laws against spreading viruses? Spyware is software installed on my machine without my knowing it, and this is exactly what happens when a virus spreads. What's the difference?
When it's distributed by a business, it's called spyware, and when it's distributed by a 14-year-old, it's a virus. Is this asinine or what?
All it takes is one death for the Food and Drug Administration to ban ephedra, when many people use it intelligently just fine. Those people don't need "protection"
In contrast, the FTC doesn't want to protect you because spyware "might hurt good software" Yes, let's leave open the possibility for malware, spam, Windows, etc., to take over your computer, steal your identity, wipe out your bank account, etc. Those things can also "kill" your livelihood, in a sense.
Bah.
It was a simple - and amusing - idea that an FTC commissioner would be named 'Swindle' - nomen erat omen and all that. It was not an ad hominem attack or an attempt to assassinate Mr. Swindle's character.
(603413 Posties - now with 100% of your recommended daily allowance of Latin!)
I want to drag this out as long as possible. Bring me my protractor.
hmmmmm..... they think the can just pass a law and stop this stuff. "Honey, I bet if we pass a law I can get this monkey off of my computer! Plus, we gain even MORE control over what people can do with their computers. PERFECT!"
Maybe these lawmakers should just throw their own computers in prison. A computer is cheaper to maintain in a cell (no need for food, water, and exercise). Plus *POOF*, their problem goes away. No more adware! Hell no more viruses or evil hackers either! Their computer can be in prison with all the rest of the evil non-violent offenders! They can come visit it when they need to use Word
Hell you can even stack all the congressmans and senator's computers in a couple cells I bet ya! Simple solution. Cost effective!
Really I think that people with that little knowledge of computers have no business passing laws about computers. Ridiculous. Do you take your computer to a lawyer to have it fixed?????
"Congress shall make no law... abridging the freedom of speech, or of the press"
Basically he is advocating a 'don't throw the baby out with the bath water' approach.
It's hard not to become cynical about the state of US "democracy" when spyware and spam illicit a "don't throw the baby out with the bathwater" response, but the DMCA slides through congress on a greased fast track.
Stop-Prism.org: Opt Out of Surveillance
I had an oppertunity to drive one of our state representatives around for a weekend. And one of the things that I came to understand is how incredably difficult it is to write legislation, that does what it is supposed to, only does what it is supposed to, is applied by procesecutor's that are too zealous and too lax and is not ripped appart by judges that are too conservative, liberal or senile.
It's kinda like writing a program that has to be bug-free on release, the spec's change constantly and the whole QA department is at a seminar the last week of production.
Slow and careful can be good, it's not like there isn't good antispyware software out there for free. Personaly I use Spybot S&D it's free as in beer, no cost, exceptS donations. You can find them at www.safer-networking.org.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The FTC is off their rocker. What legitimate software out there is unable or unwilling to comply with this legislation? Seems to me that simply notifying the customer of the exact actions of the software and making removal of the software a normal process would be sufficient. When I load software, and it includes components that may contact a website and send information, I want to be told this and EXACTLY what will be sent and choose yes or no to this specifically. A good example is WinAmp. After installation, I was asked to register and decide if I wanted usage information to be sent periodically. Self-correction has never worked with slimy businesses. The good businesses do change so that the distinction is clearer (no good business wants to be seen as slimy). However, the slime won't stop until it is made difficult to impossible for them to proceed.
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
Windows Messenger Service! What in the hell was Microsoft thinking when they allowed routable IP's to connect to Windows Messenger Service by default.
Seems like every time I thought I had it turned off, some damned windows update would turn it back on. Microsoft must have been paid off by spammers worried they couldn't use Email anymore, makes more sense than they're just that stupid.
Finaly bought a linksys router (which runs on Linux) to make the messenager spam go away for good.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Spyware -- software that piggybacks on other software and masquerades itself as something relevant, hoping you won't notice.
How ironic would it be if the house of reps outlawed spyware, and inadvertently made it illegal to tack "riders" onto House Bills.
IDNRTFA. 0:-)
-NOT MAKING ORDINARY USERS ADMINISTRATORS! (usually do to laziness because some lame app written for win95 don't work and the 'IT guy' doesn't know how to change a reg permission).
Ok. In almost all cases, not necessary for spyware.
-Centralized, automatic, forced software upgrades.
"CEO Smithley? Yes, this is CFO Barker. Well, I was just working on my Excel numbers for our shareholder presentation, and my machine rebooted when I went out for a cup of coffee and I lost all my work. IT says something about "security holes", and how they won't stop doing this. Can we just get rid of that new CIO? He's been a pain in the ass since he got here."
-Using a "bare minimum to do what I need to do" model for security access
Sounds great. Not real practical except in the presence of competent security admins to define "what needs to be done". Not a lot of those floating around.
-Firewalls that block certain *outgoing* access as well as incoming
Useless, because of the "IE hole". IE essentially has to be allowed free access, and it's easy for applications to request IE to send data over the network. There are a ton of vectors to use.
-Disabling, not installing, etc. software and services that are unneccesary. (again, frequent IT ignorance here. Idiots who don't know anything about software installation other than to select
And you've got everything locked down and then something comes along that needs to use Active Directory. Uh, huh.
-Some modicum of Blocking/Blacklisting/etc. access to sites/services that are known to be nothing but viruses, spyware, etc.
Not a reliable blocking mechanism, and probably done by many companies.
-Education, education, education. e.g. "No Ms. Jacobs, you should not click yes to the Bonzi Buddy installer." or "No, Mr. Harris, you should not type your local network password into that website's Java popup window just because it is asking for it.
I agree that this can be done with some things, but training is expensive, and things that are obvious to someone with years of experience in the computer industry may not be to Joe User.
-A well thought, clearly-defined acceptable use policy that is enforced - including termination for serious violations
Yeah, firing a leading salesman because he clicked "OK" in a Bonzi Buddy dialog is going to go over *real* well with upper management.
There are a couple issues here.
(a) Microsoft has made many extremely poor decisions WRT remote control over the local computer. Outlook hands email off to a full-blown HTML renderer, MSIE allows to be communicated with in many ways, is tied tightly into the OS, allows popups, has been used to push ActiveX and the like. Windows runs a number of network services out of box (and Microsoft treats the solution to the exposure of their poorly-designed-from-a-security-standpoint set of on-by-default Windows networking stuff as IP-based firewalling). Many folks are stuck with this (barring something extreme like switching to Linux, which is frequently not an option). A quick change to some policy will not fix these problems.
(b) Spyware vendors are smart and computer systems are complex. I won't bet on the ability of Joe User to avoid being gulled by SpywareCo programmer Mike Assmunch.
(c) Windows does not provide good tools for analyzing what programs are doing. Linux does not provide good easy-to-use tools.
(d) Personal computer OSes (Windows, classic Mac OS) are designed around easy configuration and administration by users rather than operating like a kiosk.
(e) Users value features and performance over security (which is really hard to see and measure, anyway...most people that "sell security" in a way that can be understood by the end user are selling the illusion of security -- personal firewall vendors, Verisign in general, etc)
May we never see th
All of the accounts I've heard from former Vietnam POWs say that everyone broke evetually. Those that didn't break were probably tortured to death and we don't have their accounts. So if he's claiming that they never broke him, in the absence of any 3rd party evidence, then his credibility has already taken a nose dive in my mind. Moreover, if he's equating not breaking with retaining his honor, that's even worse, and is an insult to all the other men who went through hell for years on end.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
Viola! the Spyware makers will DDoS themselves when all these systems are phoning home.
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)