California Sets Fines for Spyware

aj50 writes "The BBC has the story that California is introducing new laws to help eradicate spyware. The bill bans the installation of software that can be used to take over another computer and allows customers to seek $1000 in damages if they've fallen victim to this kind of malicious software. Can this really help cut down spyware or will it just be another fatally flawed piece of legislation?"

Obvious

[krymsin01]

And let's get this out of the way:

The law, if it affects any spyware company, will only affect those who are incorporated and/or exist in the USA.

Group Fights Back

[hhawk]

One person can't fight back for a $1,000 since it would cost more than that...

Recent Prop. In Cali has limited the rights of private laywers to act on the public behalf which also makes it hard for a single laywer to fight for a group of people.

The only way to really fight this type of spyware, ASSUMING there is someone with some deep pockets would be a class action, which is difficult to put together. You need to certify the class, then go to court to fight the 'bad guys.'

Re:Yep, bad legistlation... or maybe it's the summ

[Kjella]

(d) Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications
carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware,
authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.

I skimmed through the bill text found here, and it seems fairly well worded. However, it doesn't solve the actual problem. An "authorized user" can still be suckered pretty much as before.

Kjella

The Bill

[euphonaesthesia]

A copy of the bill is available here. It defines spyware in this way:

22947.1. For purposes of this chapter, "spyware" means an executable program that automatically and without the control of a computer user gathers and transmits to the provider of the program or to a third party either of the following types of information: [...]

The bill also outlines many cases in which damages may be recovered. The $1000 damages that may be recovered refer to violations of section 22947.2 which defines how spyware should be distirbuted. Spyware distributed in violation of the provisions of that section would allow for a collection of damages of up to $1000 for each copy distributed in violation of those provisions.

DRM Truck?

[twitter]

I'm disgusted by the contradictory language. The loophole you mention seems to undo lots of other careful language.

"authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter"

This looks custom made for grievous EULAs for junk like Microsoft's Windows XP and Windows Media Player. Even the nasty Overpeer effort might be overlooked with an attitude like that. So the thing that is fundamentally wrong, doing things to other people's computers without asking them, is explicitly allowed if you are "authorized".

Another section defines "authorized user" and expressly prohibits EULAs as a vehicle:

22947.1.(b) "Authorized user," with respect to a computer, means a person who owns or is authorized by the owner or lessee to use the computer. An "authorized user" does not include a person or entity that has obtained authorization to use the computer solely through the use of an end user license agreement."

The contradiction is clear, how it will play out is not. If I click through Microsoft's Windows updater, have I signed onto having my computer monitored for copyright infringing works? What are security purposes? Microsoft's EULAs clearly grant them power to do these things and exercising those powers is a violation. We will see if some companies are allowed to violate this law while others are punished.

Re:Did they use the right language to be effective

[IO+ERROR]

The law defines "taking control" in 22947.3(a) as follows:

(1) Transmitting or relaying commercial electronic mail or a computer virus from the consumer's computer, where the transmission or relaying is initiated by a person other than the authorized user and without the authorization of an authorized user.
(2) Accessing or using the consumer's modem or Internet service for the purpose of causing damage to the consumer's computer or of causing an authorized user to incur financial charges for a service that is not authorized by an authorized user.
(3) Using the consumer's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack.
(4) Opening multiple, sequential, stand-alone advertisements in the consumer's Internet browser without the authorization of an authorized user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer's Internet browser.