FTC Officials Wary of Spyware Measures

Nofsck Ingcloo writes "News.com is reporting thusly: 'Two Federal Trade Commission officials ignited a political firestorm on Thursday by criticizing proposed laws targeting spyware and suggesting that the measures might harm legitimate software products, too.' During an appearance before a House of Representatives panel, FTC Commissioner Mozelle Thompson said the measures were the wrong approach to spyware and adware. Basically he is advocating a 'don't throw the baby out with the bath water' approach."

Wonder how much...

[Zondar]

he gets from these so-called "software companies" in contributions?

Re:Wonder how much...

[sohojim]

Actually, FTC Commissioners are appointed, not elected, according to this page:

http://www.ftc.gov/bios/commissioners.htm

I don't think government employees can accept "contributions" from companies -- granted, that's just for "over the table" contributions.

What's funny is that the Trade Commissioner listed after Mozelle on this page is named "Orson Swindle."

Re:Wonder how much...

[Zondar]

"According to a search on Lexis/Nexis [lexisnexis.com] (paid search; subscription required) Claria Corporation donated $10,000 to Mozelle Thompson's campaign and WhenU.com donated $20,000."

And why does this not suprise me?

Re:Wonder how much...

[Lumpy]

he gets from these so-called "software companies" in contributions?

I dont think it is that, I am almost 100% sure it's just that these decision makers are incompetent in understanding what is actually being talked about.

These are men and women that dont understand a computer one tiny bit to begin with let alone the concept of a software program installed that does things secretly behind the scenes that you are not told about.

It's either someone in their staff is not accurately explaining to the leaders what the spyware really does, or this is a glaring example that the people being chosen to lead this country are in reality horribly underqualified to do the job they were selected to do.

I am betting all my money of the latter.

Re:Wonder how much...

[thrillseeker]

I don't think government employees can accept "contributions" from companies -- granted, that's just for "over the table" contributions.

What's funny is that the Trade Commissioner listed after Mozelle on this page is named "Orson Swindle."

Orson Swindle spent six years being tortured by the North Vietnamese in a Hanoi prison. He came back from that without breaking and with his honor intact - I suspect he's a little beyond being bribed than the average whining slashdotter could even understand.

Re:Wonder how much...

[B'Trey]

We know that lawmakers are incompetent when it comes to understanding technology. We know that when they try to write legislation controlling technology, it's almost always a bad thing. (I say "almost" but right now, I can't think of a single counter example.) We are all aware of the purported intent of the DMCA. Whether or not you support that stated intent, we're all aware that it goes much further than that - that it threatens legitimate research into encryption, that it's used by large corporations to browbeat small companies and individuals into submission, and that it's simply a Bad Thing, regardless of the intent.

So someone stands up and says "You know, Congress doesn't have much of a track record in writing technical legislation. The intent of anti-spyware legislation might be good, but I'm not sure that the actual legislation as written will accomplish the intent and it might actually have some far reaching implications that go well beyond the intent. Lets make sure that what we pass into law is the right way to do this." Why is it that that guy's a bad guy who's being accused of being a bribed shill for corporate interests?

I don't like spam, I don't like spyware, I don't like trojans or worms or viruses. But I dislike Congress' meddling in these affairs even more - they almost always bungle the attempt and cause more harm than they do good; often they cause more harm than the problem they're trying to fix. Law isn't the solution to technical issues. Let's leave the clueless lawmakers out of it.

Re:Wonder how much...

First the average whining slashdotter above was making a joke based on his name.

Second honor in one scenario doesn't mean honor it all. I know nothing of Mr. Swindle so I assume he's an okay guy until he proves otherwise (which is unlikely since I'm unlikely to ever meet the man and he's unlikely to ever be in a high level scandle that makes CNN) but the thing that irritates me is the assumption that he's stand up because of an event 30+ years in the past. Yes he did good, yes he was honorable, yes it was important...no it was not the sole act by which he should always be judged from now on. I appreciate Mr. Swindle's service to this country and I thank him for his honor in a time of emense hardship and torment but that does not make him above questions or reproach should he be involved in something shady.

Honor and honesty are life long pursuits and those that don't see that (i.e. cops who cover up for other cops, soldiers who hide war crimes because of justifications of brotherhood, preachers who betray financial trusts in the name of God, and in general any of the any means necessary causes out there, et. al.) are the enablers of corruption in our society.

That said again I'm pretty sure the slashdotter was making a lame joke based on his name...get a life and see if someone can't remove that chip from your sholder.

Chuck it

[nycsubway]

Heave the "baby" out with the bathwater. Spyware is called spyware because of what it is. There's no mistaking a legitimate program that user chooses to install. In my opinion, if the user knows its being installed than its not spyware. If the user doesn't fully know whats being installed than it is spyware, and that type of software should be chucked out with the bathwater.

Re:Chuck it

[mi]

Will you mother know about the bug-reporting part of Mozilla, when she chooses the "complete install" -- on your insistence, she does not use IE?

Re:Chuck it

[jafomatic]

If the user doesn't fully know whats being installed than it is spyware

And how exactly do you propose to verify this beyond a doubt? Consider the old RealPlayer, which some of us were willing to install that first time, that required non-beginner knowledge to fully remove.

You and I may know what we're installing, and we might also consider it pretty stupid-easy to go edit out the thing's entries from our windows registry, but that doesn't mean your below-average-or-average user will comprehend this. Those are exactly the people who are most affected by spyware.

The rest of us already know how it got there and how to get rid of it.

Re:Chuck it

[platypussrex]

The article quotes the FTC guy as saying that if Spyware laws were implemented, then every time one did an install of something such as Office there would be hundreds of "helper" programs that would need permission, or warning, or whatever.

I can see his point... if the user is asked for a blanket permission at the start of the install then it negates the purpose of asking permission for the spyware components but if each individual program asks permission, it would take all day.

So what's the solution?

Re:Chuck it

[grahammm]

Yes, but the bug reporting in Mozilla asks your permission before it sends any data. Also it allows you to preview what it is going to send

Re:Chuck it

[Mr+Guy]

No one seems to mind the checkboxes that already come when installing massive multicomponent programs such as Windows or Linux to begin with. You know the ones, they have tree hierarchies and let you select the features you want and not to select the features you don't.

Solving the problem for MOST legitimate software is as simple as requiring any software by a third party to have it's own checkbox and explanation of what that software does. Require a set of privacy keywords that is legally enforcable in those explanations. For example, a legal description for Gator may contain three keywords words: ADVERTISEMENT POPUP PHONEHOME. They could define as many keywords as the public wants, performing a "spyware function" without notifying via the keyword would trigger heavy fines. Requiring a link to a privacy policy wouldn't be a bad idea, assuming that policy had any legal weight to it.

Re:Chuck it

[WCMI92]

Some sensible regulations:

1. ALL seperate programs not fully integrated into the main program have to have a seperate EULA.

2. Software must come with an uninstaller that completely removes ALL elements packaged with the program.

3. "Phone Home" spyware must include in the EULA a list of exactly WHAT data it sends, and what protocals and ports it uses to do it.

4. Spyware makers MUST have provisions to comply with COPPA, and not collect information on persons under 13 (the killer nuke regulation, one Gator can't possibly comply with, but one they could be prosecuted for RIGHT NOW)...

So why isn't the FTC prosecuting any yet?

[Maestro4k]

From the article:

• The FTC representatives countered by saying that while they were "outraged" by spyware, a careful approach was necessary. In addition, during an FTC workshop last week, a prosecutor noted that the Justice Department already had sufficient legal authority under existing computer crime laws to put the most noxious spyware makers in prison.

If this is true then why aren't they? There are certainly several spyware products "noxious" enough to warrant a prosecution. Sounds like a bluff to me.

While I understand the FTC needs to protect legitimate business interests along with consumer's interests, this is ridiculous. Yes there may be difficulty in wording the bill so that it doesn't hinder legit software, but that's something that can be resolved. Self-regulation sure as hell isn't going to work, the adware and spyware companies have shown little to no restraint in doing whatever they damn well please.

Don't believe that last sentence? Just check out how they all claim you have to opt-in to their software, that it's never installed without your permission. Then check out the ad/spy-ware infected software installs and see if they warn you about them. I've yet to see a warning when one of the buggers shows up, and I do read the info during my software installs.

And finally, just try to remove one without a 3rd-party utility, they're nearly impossible to remove. That alone makes them trespassers to me, since you can uninstall them but they're still partially there, cluttering up your hard drive and mucking with your OS.

Basically he is advocating a 'don't throw the baby

[eclectro]

Basically he is advocating a 'don't throw the baby out with the bath water' approach."

In this case the baby is green, has 10 eyes, keeps track of your every move, spits in your face with ads, and is guaranteed to wreck your house.

So you do toss the baby out with the bathwater. Otherwise you have a monster on your hands.

Some call him Gator

No baby

[Hi_2k]

There's no baby in the bathwater of ActiveX installs. There never was. Who needs software installed directly from the web browser? Legitimate installer programs are easy to come by, and most people who are able to go out and search for the software in the first place are smart enough to get it downloaded and installed.
There is a problem in preventing "Third party installations" from being included in the installers, as many games and legitimate tools have come to rely on DirectX, Quicktime, and Rad Game tools. But there is no necessity to include them as part of the installer itself. Meerly make a note in the installer that you need to install these utilities too and that they are included on the cd or in a setup directory.

As in real life

[Alcoyotl]

We have regulations on what people can and cannot do with private property, why should an online computer be treated differently ? Oh yeah, they flash a so called licence agreement to the user just to be on the safe side of the law, that you dismiss by either clicking yes or no (read the very fine prints). That is unnacceptable. Any program installing on a computer should clearly show how to exit the installation process, and better, unsollicited installs should be banned altogether. I'm talking about thoses occuring when you just load a web page. You never asked to install anything, or never wanted to do so, yet something asks you install it, often in a deceptive manner.

This shouldn't be too difficult to pass such a law, and legit businesses will adapt very well. As a matter of fact, legit businesses already have adapted : a clear warning or information page with a link to the install program. Plain and simple.

Solution is still crap...

[SmurfButcher+Bob]

*End Users* do not gain any authority by the fact that they can sit at a keyboard.

Doesn't matter if it's a 12 year old kid at your keyboard in your house, and it doesn't matter if it's a secretary in a 500 person company. Neither of these people have the authority to consent to anything, especially binding agreements (and contracts, which is how the s/w industry would like their EULAs treated).

All this crap does is legalize social engineering. Think about it.

The point here.

[Raven42rac]

The point is this: no legitimate software should install something that you don't want, period. Ads I can agree with, people gotta eat, but Spyware is showing complete disdain for your userbase and really insults them. That would be like a car dealer giving you a free car, equipping it with GPS, slowing down the engine, making it run like crap, installing a hidden camera, and then slashing the tires. Spyware companies are not very well known for following the law, so one would hope this does not provide loopholes and ends up legitimizing Spyware, as is happening with SPAM.

Wired news article today

[Zog+The+Undeniable]

About a particularly nasty form of spyware.

Tin foil from the other side

[maximilln]

While the majority of the American public lacks the critical thinking ability to be able to consider the far reaching implications of their actions there are a few people, hopefully in positions with real capability of impact, who can see the problem for what it is. The average American doesn't realize the full power vested in a web browser that integrates tightly with the operating system. Most Americans don't realize what kind of trouble they're getting themselves into when they demand that their web browser be able to directly access their sound card, or their video card, or integrate seamlessly with apps on their system so that everything seems to be running inside the browser window as if the browser _were_ the operating system. These citizens clamor for functionality and then clamor for security. It is possible to have both but the price is in learning or in cost and both of these are unacceptable to the popular citizenry.

People in general, and Americans in particular, are obsessed with the mantra of "do something". Perhpas it has been beaten into our culture from the WW-I and WW-II era old hardtimers who felt the indignance of being marched off to war and then watch their subsequent generations enjoy profit without the pain of shell-shock or watching best friends get riddled with bullets. Whatever the reason the American society seems to be unable to enter into a state of natural flux--ebb and flow. Instead American society is stuck in a full steam ahead approach to everything. Refinement means nothing and progress means everything. The definition of progress is addition and more addition. The component of progress that involves improvement has been swamped by the "do something" drive to add more.

Adware and spyware have come about because the operating system and web browser which appeals to the popular citizenry has given them what they want. It has given them more and more and more as they asked. When the problems arose that, in a normal system, would have encouraged refinement and improvement, the users demanded more and more and more. This resulted in EULAs. EULAs made it possible for the software industry to concentrate on giving the users what they want: more. EULAs made it possible for software manufaturers to be free and clear of the necessary refinements and improvements which could have made adware and spyware obsolete before it ever started.

The approach to this problem is not to pass more laws. That approach does nothing but feed the "do something" attitude which has brought us to the quagmire of today. The approach to this problem is to refine and improve what we have. We need not to add more laws but rather to remove the artificial laws which give umbrella protection to less than optimal designs.