Australian Gov't To Consider Spyware Laws

bernie writes "It seems the US is not the only country with spyware legislation in the works. According to this Computerworld article, a bill outlawing the 'harvesting without consent corporate or personal information via a Web site or with software applications for marketing purposes will be classified as 'spyware'' and is set to go before parliament later this year. In addition to making all 'spyware' opt-in the bill will cover 'malware' such as viruses, trojans, and worms. Interestingly, the article cites lack of 'international cooperation' as a barrier to effective enforcement of cyberlaws. Also included is a statement from the EFF that it 'would like to see a more serious effort made to use existing laws against unfair trade practices, misrepresentation, computer fraud and abuse, before new technology-specific laws are passed'."

To repeat:

[swordboy]

Unless the Australian government has jurisdiction in foreign countries, this has the same affect as spam laws:

The assholes just relocate to another country.

Re:To repeat:

[Techguy666]

That doesn't mean that governments should just give up and not make these laws. Enough of these laws get passed around the world, those who intentionally wish to violate these laws will have no place to hide.

After the laws are passed, even if a few second or third world countries allow spyware / spam creators to work in their countries, the countries with spyware/spam laws can form a "coalition of the willing" and blackhole violating countries altogether until they comply and pass similar laws. (Wow, even Bush can serve as an educational example.)

Regardless of the politics of tossing entire countries into a blackhole filter, the point is that inaction allows spammers and spyware creators to breed.

Re:To repeat:

[eggoeater]

Yup. And the people who make this crap (like that stupid monkey tool bar...) will just change the EULA, that all my relatives just click through, giving them permission to harvest info and install more spyware without further notice.

Re:To repeat:

[L.+VeGas]

..even if a few second or third world countries allow spyware / spam creators to work in their countries, the countries with spyware/spam laws can form a "coalition of the willing" and blackhole violating countries

Hey, it worked to keep out drugs, didn't it?

Oh, wait..

Re:To repeat:

[stanmann]

Difference is people want drugs... Drugs are fun... SPAM isn't.

The best part

Users will be required to install the Australian government's spyware to make sure other spyware isn't installed.

Good!

[suqur]

The more spyware/malware laws we get the better. It's so frustrating trying to use a computer with tons of spyware and spyware trojans. Ugh. And they say the average PC has 28 spyware programs running on it! This needs to stop.
It took me about 8 hours to clean out a friends computer the other day. He had about 15 viruses all installing spyware daily.
Here's some suggestions for cleaning your computer:

Grisoft's AVG Anti-Virus Free Edition - this is key. Free auto-updates too
http://www.grisoft.com/us/us_dwnl_free.php

Lavasoft's Ad-Aware - run it every so often, and always be sure to update it manually.
http://www.download.com/3000-2144-10045910.html?pa rt=69274&subj=dlpage&tag=button

CWShredder - removes only a few trojans that give you tons of ads, but does a better job of fully removing them than ad-aware.
http://www.spywareinfo.com/~merijn/downloads.html

Spybot-Search & Destroy - Similar to Ad-Aware. You should run both.
http://download.com.com/3000-8022-10122137.html

Re:Good!

[Mz6]

"Spybot-Search & Destroy - Similar to Ad-Aware. You should run both.
Is it really necessary to run both? I've been fine with just Adaware for a while now."

Actually, it's recommended to run both of them. The reason is because they both use different methods of determining spyware. While one may not find/remove a spyware program, the other may remove it perfectly. It shouldn't take much to install and run both nd you are protected that much more. Besides, you can't beat the rpice... right?

Re:Good!

[suqur]

Wonderful Anti-Virus software, but what does it have to do with spyware/malware?

So many people don't run Anti-virus software, and many of these people are the same that open up email attachments they weren't expecting.

There are TONS of trojans out now with the simple payload of installing spyware on your PC.

The PC that I mentioned I worked on recently had over 500 dll/registry keys/executables and bookmarks (not counting another 300 cookies) that were found as spyware. I removed them all with Ad-Aware, and after a reboot, another 150 files were immediately put back by about 15 different trojans.

I consider anti-virus to be a huge deterrent to spyware.

Is it really necessary to run both? I've been fine with just Adaware for a while now.

They both find different things. So yeah, it's good to run both. Spybot also has some nice features to automatically setup your hosts file and other things to block even more spyware.

Re:Good!

[jacksonyee]

Is it really necessary to run both? I've been fine with just Adaware for a while now.

It's not absolutely necessary to run both, just as it's not absolutely necessary to run a virus scanner if you're relatively sure that your firewall will stop most of the viruses going into your network.

However, having two separate programs with two separate databases increases the chance that one particular vermin might escape, since there are two levels of checks against it. What was the last program you used that did absolutely every single thing that you wanted it to do? For me, having two separate programs avoids vendor lock-in and encourages improvement. It's still not 100% secure - nothing is. However, it's a little bit more peace of mind when you go to clean your co-workers' computers off because Internet Explorer gave them more bugs than an open can of Mountain Dew in the summertime will attract.

Re:Good!

[suqur]

I forgot to mention HijackThis. It's another great tool for getting rid of spyware, but it's definitely for the more advanced user. It'll show you both good and bad items, so discretion is important.

You can easily track down spyware by googling for the different exes and get tips on removing them.

http://www.spychecker.com/program/hijackthis.html

Re:Good!

[frodo+from+middle+ea]

If the PC was that badly infected. Don't you think a better option would have to format the whole thing. Run some kind of boot sector virus scanner using some boot disk and reinstall every thing.

a legislative idea

[millahtime]

Interestingly, the article cites lack of 'international cooperation' as a barrier to effective enforcement of cyberlaws.

An idea to get international cooperation would be to make it an act of war to get a mail bomb or any other kind of attack. We (in the US) get a couple of these... go knock on that countries door a few times and we'll get the cooperation from everyone we are hoping for.

Adaware

[thedillybar]

Don't think this means you can do without Adaware or some other anti-spyware software. Worms and viruses have been illegal for a long, long time; you still wouldn't let any non-tech-savvy person near a computer without antivirus. It will be a long, long time (probably not in our lifetime) before we can do without anti-virus and anti-spyware stuff.

If these bills cut the number in half I'd be pleased.

Too bad....

[tha_mink]

Spyware. It's nasty. But...(and I hate to say it), I make a pretty good amount of money removing it from client PCs. "Internet Optimizer" and "XXXToolBar" are 2 of the more particular nastier ones I come across. It makes it virtually impossible to use IE. When one finds out what these nasties do and how they do it, one gets surprised that they aren't illegal yet. I am all for making this stuff illegal but I sure will miss the extra income.

Re:Too bad....

[Eraser_]

I have a really bad habit of installing Mozilla for people who have IE/OE related woes and never getting a call back from them again. I do make sure and "leave" a couple extra business cards though, and eventually their friends start calling.

Better yet, the other day I got a lead on a car dealership that needs a new "on-call" tech guy, plus a network overhaul. All this from a little spyware prevention lesson.

I have an idea

Let's pass a law. That always stops people.

How Does This Work

[somethinghollow]

When it says "Click Yes to install if you agree with the EULA." and the user does, what is the problem? People install spyware themselves. It's (at least for the most part) an ID-10T error, not an exploit. Are these governments going to MAKE users read and understand EULAs before installing things? Aren't these people warned in the EULA before they install? Granted, I hate spyware as much as the next, but the worst I've had is DoubleClick cookies that AdAware says is spyware. I just click "No" by default now instead of "Ok" when the "install software" box pops up in IE (at work... never had the problem with Safari at home).

Re:How Does This Work

[WoodenRobot]

Aren't these people warned in the EULA before they install?

One nasty problem with this is the fact that often by the time you get to a page with a EULA, the damn site's installing spyware - and the EULA's something along the lines of "by looking at this page, you agree to be infested".

Yeah, there's a EULA, but it's effectively worthless, and is just a get-out-of-trouble clause for the malware supplier...

Re:How Does This Work

[mikera]

It's a pretty basic principle that in order to have a fair contract, a person must have a full understanding of what they are agreeing to. Free markets require informed consent on every transaction in order to work effectively.

In general that's not the case. That's a fundamental flaw with EULAs - people simply don't read them.

On top of that - people make mistakes. Perhaps just *once* you forget to tick the no spyware checkbox. Do you therefore deserve a permanently compromised machine?

This all makes Spyware look like a deceptive trade practice in my book. Even if people do install it themselves, they've almost cetainly been duped into doing so.

Good spyware!?!?

[vijaya_chandra]

?Not all spyware is bad but most is sinister"

I don't get this, can someone suggest a good spyware?
Or is ntpd also nowadays considered spyware??

screen capture utilities used to capture passwords,..
Damn, now I know why all those passwords in our web site's user db are showing up as long "*"s upon decryption

(Karma be damned; I am no better than an AC anyway)

Milk and Cookies?

[mratitude]

What is the legal liability within the WWW community of the standard for setting cookies and other session tracking techniques within this law? It's this relationship between web server and web client that leaves the door open for spyware.

The intent of the law will be to establish the intent of the person using the browser rather than the intent of the web site organization who put up the url. But the web operator doesn't force anyone to click their link and the tools are available to prevent most spyware from loading across the link. Will the legal standing become nothing more than the equivalent of individual intent and unstated permissions?

It'll be an interesting legal question as to where various digital rights boundaries start and stop.

they should have followed New Zealand's lead...

[MariaK]

It would be so much neater to just go the same route for distributors of spyware as some have done for spammers. Release their personal information online along with a description of their offenses and let the outraged masses take care of it. Prosecute fully for any violent offenses, but if the offender is simply driven to cut off his phone line and Internet connection thanks to all the harassment he gets, that'd be fine.

The same approach might be less effective against corporations, but I'd still love to see an attempt.

But will this REALLY stop spyware?

[caffeineboy]

It seems to me that there are two major categories of spyware:

• The kind that tries to be "legit" and actually tells the user (somewhere in the EULA) that it is installing. Claria/Gator is this type.
  
• The kind that doesn't give a damn and installs through known IE exploits and weaknesses (Cool Web Search and Xupiter are like this)
  

The problem that I can see is that type 1, even though it sucks and no sane person wants it on their computer if it were presented honestly, is probably already compliant with these laws because somewhere in the EULA it explains what it is doing. Never mind that even moderately intelligent people just click "OK" as soon as any dialog box pops up on their computer (my fiance still hits "OK" whenever she goes to an encrypted page since she doesn't take the time to read the box and click "don't show this dialog again").

The problem with the second type is that they don't give a damn now and they're not going to give a damn. I can't belive that using exploits to install software is not already illegal somewhere, and many of these type of companies are already out of jurisdiction...

To tell the truth, I can't think of a good way that we will get around this. We have to remove the motive - perhaps prosecuting the people that advertise this way?

Legislation=Trojan

[Potor]

I bet legislation in this area will do nothing to ease the spyware problem, but instead will only act as a trojan increase governmental control of the web.

I know: not a new idea, or particularly interesting. However, I do find it funny to see people applauding legistative solutions to problems on the internet, which is usually praised for being an anarchic forum.

The EFF is catching on

[swb]

would like to see a more serious effort made to use existing laws against unfair trade practices, misrepresentation, computer fraud and abuse, before new technology-specific laws are passed

Here, here -- why aren't fraud and other bad-trade laws used more often? Is it a lack of resources? A cultural zeitgeist that embraces legal-gymnastics and rationalizations as legal compliance for prima faciae unethical conduct? Part of the current administration's pro-corporate/pro-business mindset?

It just seems that as long as you're not outright *stealing*, you can get away with pretty much anything, and it's not fraud. Has this always been the case?

EULAs - was Re:To repeat:

[Techguy666]

If it has an EULA and people have to "accept" the program before it runs, should it be placed in the same category as other spyware? If you say "no - it's still spyware all the same - people just click through the EULA without reading it", then what would you say about Windows XP, where you have an EULA and data gets transferred to and from Microsoft regularly (especially if you use Windows Media Player 9)?? Is that the same thing?

Users need to take some responsibility for clicking through EULAs. There are many laws against reckless driving but I still have to CHOOSE to drive down a one-way street in the wrong direction. Who's at fault here? The law for not being strong enough or me for being an idiot? Users who choose to install software without thought are in the same boat. There are limits to the effectiveness of any law.

If spyware makers create a valid EULA and requires a valid install procedure (one which doesn't hide additional installs, for example), I would say, grudgingly, that there's a place for these programs in the world.

Re:EULAs - was Re:To repeat:

[teidou]

what would you say about Windows XP, where you have an EULA and data gets transferred to and from Microsoft regularly ... Is that the same thing?

Yep.

Futility production

[Quicksilver]

Futilty detector is sounding... So it would be only illegal to collect this information for *marketing* purposes?!!!

That's a law that'll be useful.

Legislation is almost as scary

[yintercept]

The more spyware/malware laws we get the better.

I am staunchly opposed to spyware. I was disappointed with the article however. The article seemed to place dropping a cookie on the same level as using a Trojan to install a program that pop ups ads left and right.

From the article:

No program or cookie or any other form of tracking device is to be installed on any computer without the user of that computer being given clear information as to the purpose of the program or tracking device

Come on! The easiest way to do session management is to drop a cookie. The article in question suddenly classifies the majority of interactive web sites (forums, online stores) as spyware because they drop cookies for session management. To have an online store, you have to be able to track the user as they place things in their shopping cart, then procede to checkout. To keep a shopping cart between sessions or to keep user information available for the next forum discussion...you drop cookies that extend beyond the session.

Yes, there are privacy concerns with third party cookies from large entities like doubleclick and valueclick. These companies already have privacy statements, and have big legal departments and contribute to PACs to assure whatever they do is legal.

Laws that get passed from ill informed groups like the one quoted in the article simply create hassles for legitimate firms trying to do legitimate business. It will not affect the large ad firms like doubleclick and valueclick. Nor will they have any affect on the people willing to work on the fringes of society.

I am all for efforts to define and regulate adware. Such companies actually have code downloaded installed and running on people's computers. Unfortunately, I doubt legislatures will have the tech savvy to make such definitions. Especially in a world where privacy rights advocates are as befuddled by session management with cookies as they are with a trojan that includes code that tries punching holes through firewalls.

Word 2 the wise: Back Up AV/Firewal Inst. Files..

[iamcf13]

I suspect the Spammers / Crackers are DESPARATE enough now to see about compromising antivirus and firewall programs at the source via a crooked/disgruntled person at the company with access to the software and/or the source code to it (even 'better').

You have been warned....