Anti-Spyware Bill up for Vote in Congress

paul_friedman writes "According to Reuters - The U.S. House of Representatives will vote as soon as next week on a measure to crack down on deceptive "spyware" that hides in users' computers and secretly monitors their activities."

Won't this legalize Spyware?

[erick99]

The bill approved by Barton's committee would require software makers to notify people before loading new programs on their machines that can collect information about them. Violators could face millions of dollars in fines.

A lot of these programs do tell you that they are going to load Gator or some other piece of sh*tware. However, it is buried in the middle of the EULA which most people "pagedown" through rather than read 10 or 15 screens of fine type legalese. I do read them or at least scan them for the part about giving me even more

"free productivity"

software. This legislation like the spam legislation (CanSpam), will simply embolden those who have been hesitant. Now that they can legally load your system up with spyware as long as tell you somewhere, no matter how hard it would be to actually find it, they will do so. I just wonder what these politicians are smoking when they come up with these "solutions."

-erick

Re:Won't this legalize Spyware?

[Carnildo]

The anti-spyware bill is to spyware as the CAN-SPAM act is to spam.

In short, it's a bunch of feel-good legislation that legalizes a few shady practices, and add further laws against others. Nobody will bother to enforce it, and in a few years, it will have been forgotten.

Re:Won't this legalize Spyware?

[MindStalker]

I think the most important part of this is that it also requires the software to be easily uninstallable. Something that isn't true today. This is the main point that I believe needs to be inforced, as its hard to exactly give a definition of spyware. But any software that installs permanently onto your computer (java apps and such don't nessearly apply) needs to have a simple uninstall.

Re:Won't this legalize Spyware?

[MindStalker]

Actually I take that back, that is the senate bill. Which is much more comprehinsive. It appears that the house bill is very simple and just disallows installing without notice.

Re:Won't this legalize Spyware?

[WindBourne]

The argument will be that it is easy to uninstall it. Just re-load Windows.

Re:Won't this legalize Spyware?

[techno-vampire]

Getting rid of spyware will take time, and may not be possible. Just being able to nail the worst offenders, those that install without notice or any reasonable way to remove, is a start.

Re:Won't this legalize Spyware?

[gr8_phk]

"It appears that the house bill is very simple and just disallows installing without notice."

Installing software on someones computer without notice is already a crime - especially if the installed software sends data back to the party who installed it. People go to prison for that type of thing, but apparently it's different if a corporation hacks an individual instead of the other way around.

Re:Won't this legalize Spyware?

[Tony-A]

There are already laws about unauthorized use of computing facilities. Rather strong criminal laws.

To be effective, any new legislation should better define what constitutes authorization, specifically that any authorization burried deep down in anything expected to clicked through constitutes fraud.

from Windows is the 'biggest beta test in history' - Gartner "Victor Wheatman, Gartner security veep, told delegates at the IT Security Summit in London that the most secure organisations spend less than the average and that the lowest spending organisations are the most secure."
More legislation to help out a few favored scammers at the expense of the populace is not a good idea. CAN-SPAM? Spammers: Sure we CAN!

Wait...

I don't get any more free computers that "don't work?"

diebold..

[DraKKon]

I would be prudent to put spyware in diebold's voting machines though.,.

Oh whatever

[screwedcork]

As if the people who write spyware care about the law and doing what's right

Re:Oh whatever

[Shnizzzle]

But at least companies who are located in the United States and who profit from use of said software can be held legally responsible.

I know that we all feel a little joy when we hear that spammers have been arrested and the same can now happen to spyware authors.

Yeah,Sure

[rainman_bc]

It's probably going to be as effective as the CANSPAM act.

How are they going to nail people in Russia and China?

Re:Yeah,Sure

[Carnildo]

They're not even making a serious effort to use the CAN-SPAM act against spammers in the United States. Why worry about people in Russia?

Re:Yeah,Sure

[Pig+Hogger]

How are they going to nail people in Russia and China?

This won't be a problem anymore, thanks to The Project for the New American Century!

Re:Yeah,Sure

[TidyKiller]

Yes, because world domination will solve all our problems.

War on Spyware-ism!

[graveyardduckx]

I'm guessing since a lot of this garbage originates overseas that we can use this as another poor excuse to go to war??? /duck

Poor guys

[bigberk]

What will the honest folk at claria (a.k.a. gator), "A Leader in On Line Behavioral Marketing", The do about this?

Re:Poor guys

[Obliterous]

Not a damned thing...

they do tell you that their stuff is being installed. it's in the EULA for whatever program you actually wanted to install, that it hitchiked in with...

Word to the wise: if there is more than one EULA, then there's probably spyware. if there's only one, read the bloody thing...

Re:Poor guys

[stephanruby]

Word to the wise: if there is more than one EULA, then there's probably spyware. if there's only one, read the bloody thing...

Assuming it's actually a product you're trying to download, and not just a random activex popup. It's usually easier to google whatever name of the product plus add the word "spyware" to it. Reading the EULA is too damn difficult these days.

It's the corollary of the Slashdot effect. Never read the primary source, someone else will already have done it for you.

politicians and technology do not mix

[loose+electron]

More useless laws that can not be enforced.

Just like attempts to make P2P filesharing illegal, it will be virtually impossible to regulate or control.

Sweet....

[bizpile]

Nice, more unenforceable legislation. Go Congress!

No doubt...

Corporations contributing to congressional campaigns are exempt, of course.

Screw fines...

[TWX]

...it's time to get the tree trimmers out, heat them up to temperatures that will cauterize, and then truncate something important to the spyware authors...

Of course, if the dominant web browser weren't vulnerable to installing trojan software on a user's computer in the first place this would be a moot point.

Re:Screw fines...

[TWX]

Thing is, though, Internet Explorer has sucked from the first release that was bundled with Windows NT 4.0, which was called v2.0. It has never been properly fixed. After the debacle of MS forcing IE on to computers with the OS I decided that I'd never use their browser again for my own computers, and I've stuck to that. I've watched countless exploits for the browser come out and wreak widespread havoc on Internet users, while I've been very safe using Netscape or Mozilla, depending on my fancy. My computers have never had spyware/trojans/hijacks or any of the like.

Microsoft's web browser is a piece of shit. It allows Internet-based stuff to invade down to a service level on the workstation. It allows massive quantities of unsolicited popups, a problem that the Mozilla team fixed at least two years ago. It has been documented to have "arbitrary code execution" security holes on a regular basis.

I haven't had these problems with the Mozilla/Netscape strain. My friends with Safari and Opera haven't had these problems. How hard is it to code a fucking layout interpreter and display program?

Isn't this already illegal?

[halivar]

Isn't this already illegal? Lately I'm afraid of legislation banning things that are already illegal. Take the DMCA, for instance; copyright violations were already punishable, but all of a sudden a whole slough of other things are, too.

I say, let's strengthen our ability to enforce laws we already have on fraud and invasion of privacy. It seems new laws, making more things illegal will simply become another "gotcha" for folks using legitimate software.

NO!

[BHearsum]

80% of what I do at work is cleaning spyware. I would be out of a job if it stopped existing.

Re:NO!

[LiquidCoooled]

You know times are hard when your own family outsources your technical assistance.

Re:NO!

[Pig+Hogger]

80% of what I do at work is cleaning spyware. I would be out of a job if it stopped existing.

Then, you are a part of the problem. Vested interests that benefit from the status quo.

Re:NO!

[That's+Unpossible!]

That can't be right ... I thought the government's sole purpose was to create jobs?

Nothing can be done

[economan]

There is really nothing that can be done. It is called social engineering. The end user does let them into the computer, not by choice, just by staight ignorance. This is just another set of laws that will mean nothing.

Re:Nothing can be done

[frankthechicken]

Exactly the number of people who want to have weatherbug on their PC, the number of people who purposely download and install Claria products is ridiculous.

People want these things because it gives them cool things, they don't care what happens in the background.

I personally equate it to smoking, without the risks of using the product being fully known about or appreciated.

Perhaps the preventative measures taken against such adware products should be similar to smoking. Large, prominent notices being required, detailing the risks of using the software, perhaps higher taxes on companies deemed to be adware firms.

Unfortunately the ability to label such problematic software is, well, problematic.

Finally!

[Jaycatt]

I was just doing a training for my coworkers about what spyware is/does. No one had ever heard of it, and didn't know they should be scanning their PCs. I remember telling them that I hoped it would be the next "big thing" they'd start passing laws about (like they did with viruses and spam). Glad to see that hope may come true!

It'd really be nice to see this issue talked about in the more mainstream press, so that it gets a negative following like spam has. Might not solve it, but at least people will know it exists.

Re:Finally!

[savagedome]

Might not solve it, but at least people will know it exists.

And there probably lies the difference between 'average person' and 'average /.er'. What is spyware for you and I might not even be spyware for them. There are people who willing install Bonzi Buddy on their systems because its cute but I would not touch it with a ten feet pole.

And if these legislators were even half serious, their act should have included not the installation but the 'uninstallation' part. A lot of programs/utilities/helpers capture sensitive information (Google Toolbar anyone?) but the difference lies in getting the crap out of somebody's machine. Anybody who ever had to use HijackThis to figure out the fscking process eating up your machine knows what I am talking about.

Till then, just another stupid law and the life continues as always.

Re:Finally!

HijackThis is a great tool for totally destroying a computer. In the hands of someone who knows what to do, it's useful.

In the hands of the typical "click every 'OK' on every popup that appears", it will delete just about everything in their registry.

Let them use spybot or ad-aware, at least there if they click and delete everything it finds it won't leave them with an unbootable machine.

Re:Finally!

[JohnnyNoSPAM]

This in and of itself will not be the end of spyware. However, I believe that this is a starting point from which we can eventually build a system of enforcement which will hunt for spyware and prosecute people who develop and/or utilize it.

Still, good Internet practices are a good starting point for the rest of us can implement now. This entails doing some research in addition to some common sense. Tools such as Spybot S&D and Ad-Aware are excellent in addition to being freely available and for real. There are a slew of other software claiming to be able to remove spyware when in fact they are spyware themselves! (anyone ever see the web banner ads, "Your computer may be infected with spyware..."?) Believe it or not, Microsoft actually has some good starting information for users of the Windows OS who are interested in what spyware is and how they may take some steps to protect themselves. http://www.microsoft.com/athome/security/spyware/d evioussoftware.mspx

I recommend that users research as much as they can about what spyware is, the damage that it can do your your computer,your network, and your personal information. From there, one can learn some simple steps to avoid it. My personal recommendation is that if you are looking software, consider open source solutions. SourceForge is a great resource http://sourceforge.net/ Being that the code is openly available, open source is naturally not a desirable form of software for those who wish to do you harm. This does not mean that it is completely impervious to malicious coders, but at least you know that others will be able to see the code and blow the whistle upon the detection of any such inclusion.

Hmm...

[queenofthe1ring]

It will be combined with another bill, passed by the Judiciary Committee (news - web sites), that would establish criminal penalties for those who use spyware to commit identity theft or other crimes.

So now it's going to be a crime to commit a crime?

Re:Hmm...

[green1]

reminds me of a highway sign I saw a while back... it read "obey all signs" I broke out laughing, if you are already going to obey signs then there is no point to haveing a sign to tell you that, and if you aren't, then why would you obey that one?

Re:Hmm...

[PriceIke]

XXX LIVE NUDE GIRLS! 3 miles, turn right.

My favorite advocacy group is the one that puts up those orange signs near work zones that say, "END ROAD CONSTRUCTION". I so totally agree!

What the Gov't NEEDS to do

[TheUnFounded]

What really needs to be done: have the gov't put in place a formal pricipal that states THIS. Maybe then they'd actually accomplish something.

Sorry but

[needacoolnickname]

I think governments really have more important things to think about than spyware and spam - oh, I don't know... wars, the economy, health care, education, ways to spend the money they make off the tobacco industry for everything possible except for the health issues they are saying they nede the money to pay for...

If someone installs spyware it is their fault. Nothing is free on a Windows machine. Take some personal responsibility for jebus sake.

Here's a question. Why are all the spyware programs written for Windows rather than Mac or Linux. There are perfectly good freeware programs for the other OSs and they aren't laden with the crap?

Re:Sorry but

[rainman_bc]

Why are all the spyware programs written for Windows rather than Mac or Linux.

Simple market share dude.

Businesses (shady or not) look at the cost/benefit analysis of writing this stuff. The benefit is higher when you write the stuff for windows than any other platform.

Re:Sorry but

[__int64]

"Why are all the spyware programs written for Windows rather than Mac or Linux."

B/c first these things work by volume, windows has a farlarger userbase to attack than any of the others. Second, there are alot more, less knowledgeable users on windows than on other platforms. So statistically its far easyer to doop them into installing your garbageware than users of other systems.

Wouldn't it make more sense...

[Sentry21]

Maybe it's just me, but wouldn't it make more sense to create an agency (in the manner of the FCC or CRTC) with the mandate to regulate these types of activities? That one agency, given the ability to pass regulations as the FCC has, would be able to regulate things like SPAM, Spyware, and other interests (viruses perhaps?). They could impose fines for companies that write programs to do this kind of work, publish lists of software banned under the regulations, and so forth.

Just like the acts that created the CRTC and the FCC, it would be a simple matter for Congress to say 'there is a problem, you guys handle it', rather than having to learn the full issue every time something needs to be done.

--Dan

yes

[killua]

Being the honest, law abiding, trustworthy corps these spyware companies are. I'm sure they will comply! Expecially when the law in question will be virtually uninforcable. We can trust them! Really!

Not that good of a law...

[chrispyman]

As many others have pointed out, this will probably be as effective as a law as CAN-SPAM was. What they really need to do is to make it illegal for companies to profit from the selling of the data that these spyware/adware programs collect.

Re:Not that good of a law...

[pilgrim23]

When law is not the answer, yet law is passed to address it. the law, and all laws, looses respect.

Hurrah! Congress is on the case!

If you'll excuse me, I have to go upstairs and uninstall SpybotSD and Ad-Aware from my Windows box!

This is just like when they made spam illegal. Oh, the joy I felt when I removed all the anti-spam measures from my server-- my heart was truly singing!

Re:What I don't understand....

[TykeClone]

They don't care about controlling problems - they just want to look like they're doing something about an issue.

How about a bill...

[mabu]

that guarantees X amount of money to be put into enforcement/education efforts against existing cybercrime?

We don't need any more laws. We need law enforcement of existing laws. The current anti-computer tampering laws are effective in most cases.

NO!

[AvantLegion]

If you outlaw spyware, only outlaws will have spyware!

Wait....

How about a bill

That requires /. to change to damn theme for IT ... christ, I like my eyes ... why are you tring to blind me ...

Anti spyware legislation

[serenak]

Like so many things Govt's do isn't it "bolting the stable door"? Spyware is out there, asking for people to "agree" to have it is just asking for a whole flood of "legalised" versions to infest PC's worldwide. Biggest problem is *obviously* that like spam this stuff usually comes from outside the "controlled" zone eg China, Russia, Papua New Guinea etc. Harden your security or change to a more secure system or get a better firewall! Then again I run OS X so I don't have to deal with this day on day...

Mandatory computer education?

[Sarcastic+Assassin]

I think the government should require people to obtain an Internet license, to get access to the Internet. It could be not only preventional (eg, avoiding spyware, how to remove it), but educational (incorporating a bit of HTML, possibly). It'll probably destroy the essence of the Internet (eg, a kind of virtual library), but people will be more educated.

Re:Mandatory computer education?

[LincolnQ]

Argh, mod you down, please. That makes no sense, I'm sorry. Are you being serious?

An Internet License would hurt much of what makes the Internet the Internet (anonymity, free speech, etc.) And how would you enforce it? Would you have somebody watching over your Internet usage, and, if it seems erratic, "pull you over" and ask for your Internet License and Registration? I'm sure everyone here will love that idea.

They will blow it.

[BCW2]

Just like can-spam. Because they make it too complicated. It is really a case of illegal electronic surveillance, just like an illegal wiretap. You shouldn't be allowed to do it without a court order. The last I heard that was already a felony.

As usual they would rather pass a new pile of crap than enforce whats already on the books.

Oh, so it's just like..

[Gadgetfreak]

the Assault Weapons ban? Feel-good indeed, and unenforced.

It's a PR stunt for the people who live in fear of what they do not understand.

I guess this means...

[marcello_dl]

A slightly new EULA for windows.

Immunity for Some?

[ObsessiveMathsFreak]

Yet how many loopholes will be present to allow law inforcement to install keystroke loggers and port sniffers with any sort of warrent from a judge.

No doubt they'll justify any blatent breach of personal rights with a big 'fight terror' or 'freedom police' sticker and a grin.

I'll bet some spyware companies are already passing on data they collect in 'suspect' countries to higher powers. I mean, if there are spyware infected PCs in say... France, don't you think that greasy agents are taking advantage of that now. Expect exemptions, official or otherwise, for spyware companies that jump into bed with enforcers looking to get around the law.

RTFL: Read the Legislation

[jfengel]

The article is actually rather devoid of information. If you want real data, you gotta go to the source: The Library of Congress.

For example, many articles in this thread have talked about them burying the the notice in the EULA. From the House bill:

The notice clearly distinguishes such notice from any other information visually presented contemporaneously on the protected computer.

They call that "clear and conspicuous notice in plain language", and it goes on from there.

As for enforcement: there's less spyware than spam. Spyware takes time to write, and it takes time to make it useful enough that dumb users install it. Claria is easily tracked down, and if they don't ask "This program will collect and transmit information about you. Do you accept?", they go to jail. Stupid users will click anyway, but "Against stupidity the gods themselves contend in vain" (Frederick Schiller).

The solution isn't perfect: some malware writers will just move offshore, for example. But I have reason to believe that this legislation will do at least some good.

Spying Politians

[Mulletproof]

"The U.S. House of Representatives will vote as soon as next week on a measure to crack down on deceptive "spyware" that hides in users' computers and secretly monitors their activities."

This one is a slam dunk. I mean, what government offical wants their computer to secretly monitored??? ^_^

Remeber kids

[the+real+darkskye]

Just because something is legal doesn't mean it is ethical.

EULA legislation?

[Wino]

What I'd really love to see is some sort of regulation that tames the one-sided nature of EULAs themselves.

For instance...

Ability to opt-out (or must opt-in) to tracking/privacy related features.

Non-solicitation agreements.

Use of personal information. etc.

Also, force companies to have a brief overview of the EULA so consumers can actually determine what it is they are actually agreeing to without having a law degree.

A man can dream...

Modify existing laws

[Lesrahpem]

I have always sort of wondered why adware and spyware have not been lumped into the same category as malicious viruses. It is easy to say that they're not malicious, in that they don't delete files or make damaging configuration changes to a computer. However, they do create a huge performance decrease.

From what I have seen the average Windows user who uses Internet Explorer seems to have between 100 and 600 spyware items (according to ad-aware) on their computer. I see this because I do computer repair in my area and almost all of the times a computer is brought to me for repair it is spyware that is causing the problem. There's usually nothing else wrong.

In light of that, I think congress would do better just to redefine the laws already in place which deal with computer viruses. How about classifying any piece of software which installs on a person's computer without prompting them, or which has a primary function other than the one stated, as a virus (I mean in legal terms, not technical).

IAAL who researched spyware....

[omarKhayyam]

I researched spyware this past summer with a professor of mine at law school. The main flaw with all the proposed spyware legislation (there are around 10 pieces of it at the state and federal levels) is that it focuses on regulating "spyware" itself, rather than dealing directly with what bothers us about spyware. This is especially problematic because spyware is defined to cover a hopelessly broad array of software. As a result, two different legal issues have been handcuffed together. These two issues are information privacy and trespass.

Information privacy covers all the collection and use/abuse of personally identifiable information. This concern is not unique to spyware. It also exists in the use of bank records, medical information, etc. The EU has done a better job than us of consolidating information privacy concerns into a coherent body of law. In the US we have a legal patchwork that covers each use of personal information separately.

Trespass covers the installation, disclosure of functionality, and uninstallation of programs. There is a strong analogy here to real property, where you have some control over who comes onto your property, what they do there, and your right to expel them. One area that is in flux (and it is not unique to computer software) is that burying something in legalese in a license agreement may no longer be viewed as giving someone notice. This view is already being taken by some courts with regard to boilerplate contracts for products like cellphones.

In the end, this legislation is flawed because the legislators failed to identify the distinct issues of information privacy and trespass and address them separately. Identifying and separating issues is rule #1 when it comes to the understanding the law. I would imagine this mistake was made because this law involves technology, which probably makes legislators think they need to write completely new law. Sometimes this is the case, but often it is better to extend the laws we have developed over hundreds of years.