Slashdot Mirror
California Sets Fines for Spyware
aj50 writes "The BBC has the story that California is introducing new laws to help eradicate spyware. The bill bans the installation of software that can be used to take over another computer and allows customers to seek $1000 in damages if they've fallen victim to this kind of malicious software. Can this really help cut down spyware or will it just be another fatally flawed piece of legislation?"
"The bill bans the installation of software that can be used to take over another computer..."
Goodbye, SSH. I'll miss you.
Goodbye, Windows.
Among other things, this bans unauthorized installation of keyloggers, spam sending/relaying software, zombies, and disabling your anti-virus or anti-spyware software.
However, and this is a big however, they grant a blanket exception to your ISP or network admins. "Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter."
You could probably drive a truck through a loophole like that.
How am I supposed to fit a pithy, relevant quote into 120 characters?
"The legislation, which was approved by Governor Arnold Schwarzenegger, is designed to safeguard people from hackers and help protect their personal information."
"One form of spyware called adware has the ability to collect information on a computer user's web-surfing.
It can result in people being bombarded with pop-up ads that are hard to close."
Lesse. Arnold Schwarzenegger. Check. Hackers as evil villians. Check. Mixing javascript pop-up ads and Malware. Check.
"Can this really help cut down spyware or will it just be another fatally flawed piece of legislation?"
I dunno, what do you think?
Spyware is considered by computer experts to be one of the biggest nuisance and security threats facing PC users in the coming year.
Unfortunatly the average computer user doesnt know this
The fine is too weenie. They need to do for consumers what they do for the likes of the RIAA and MPAA - give consumers something with which they can beat spyware vendors into submission.
But that won't happen because they don't really give a shit about "consumers" as long as they continue to consume. When we consume we fulfill our political function.
If you define spyware as they say in the article as "the installation of software that takes control of another computer." then it sounds broken already to me
Spyware does not have to take control of a computer.
It can be as simple as sending back browsing habits so cookies can, even, be not so far away from some spyware then,
Or it can just send credit card details or other browsing habits or snoop in places it shouldnt. All without "taking control" of another computer.
The devil is in the details. I would like to see what kind of software it really is defining as spyware.
Great Macintosh Support
Would they seek damages from the spyware manufacturers? Or from the OS designer who designed a less than secure OS?
Regardless of how you feel the question should be answered, will that be a choice?
libertarianswag.com
And let's get this out of the way:
The law, if it affects any spyware company, will only affect those who are incorporated and/or exist in the USA.
stuff
The RIAA should be fined millions for their infected WMA files.
The question is will the **AA adhere to this law, or will they find a convenient loophole/exception?
----
"Ours was a free culture. It is becoming much less so."-Lawrence Lessig
What's stopping me of 'getting infected' with some adware / spyware / malware and claim the money? Is there some legal procedures to go throught? How are they gonna prove that I didn't install them?
Eureka Science News - automatically updated
The state's Consumer Protection Against Spyware Act bans the installation of software that takes control of another computer.
I'm really concerned about this type of language. The effectiveness of this really comes down to "How do you define 'takes control'?" Snooping where you go in the Internet is not "taking control". I don't even know that pop-up advertisements can really be called "taking control" since I have ultimate control over the power button as well as the network plug in the back of the computer. Even if there is spyware installed, I have control over installing another browser or installing spyware removal software. VNC, PC Anywhere, and other such tools are meant to truly "take control" of a system, but they're obviously not spyware. I'm also concerned about spyware being used at the threat. I would think that viruses and spambots would me the obvious targets, but do they "take control" or do they just "steal CPU cycles"?
The article didn't go into great detail on this particular matter. How can one really define "taking control" if something ever goes to court on this? Or is it possible that this was just a bad choice of words on BBC's part?
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
Now that I think about it, there are several very difficult problems with such legislation. AMong the hardest to define, however, would be what constitutes "taking over".
Let's face it, we all know some idiot users out there who do things that are just dumb (like clicking on that "Yes" button for GATOR's new and improved super-duper piece of $#!+). With that installation comes a whole host of things but the user did knowingly and willingly click on that "yes".
Now normally I'd say that this doesn't constitute an excuse. If I am caught speeding, I can't plead to the cop -- "Sorry I didn't know 200mph was speeding!" Computers are, however, rather mysterious beasts to most and thus legislation can be harder to define.
RIAA/MPAA contractors using spyware.
EvilCON - Made Famous by
When you allow a story about some bill on Slashdot, cite the bill, or provide a link. Stories like this are useless.
One person can't fight back for a $1,000 since it would cost more than that...
Recent Prop. In Cali has limited the rights of private laywers to act on the public behalf which also makes it hard for a single laywer to fight for a group of people.
The only way to really fight this type of spyware, ASSUMING there is someone with some deep pockets would be a class action, which is difficult to put together. You need to certify the class, then go to court to fight the 'bad guys.'
http://www.hawknest.com/
(d) Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications
carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware,
authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.
I skimmed through the bill text found here, and it seems fairly well worded. However, it doesn't solve the actual problem. An "authorized user" can still be suckered pretty much as before.
Kjella
Live today, because you never know what tomorrow brings
I don't really know much about spyware as I don't use windows but my understanding is that much of the legit programs collect personal information for marketing purposes. These programs must call home to upload what they collect. Why hasn't anyone written spyware spoofing software that uploads lots of invalid or better yet, simply incorrect data.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
1. Setup insecure windows box.
2. Intentionally get infected with spyware.
3. Profit!
Man, the one chance to say "RTFB!" and you blew it. Good going.
"authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter"
This looks custom made for grievous EULAs for junk like Microsoft's Windows XP and Windows Media Player. Even the nasty Overpeer effort might be overlooked with an attitude like that. So the thing that is fundamentally wrong, doing things to other people's computers without asking them, is explicitly allowed if you are "authorized".
Another section defines "authorized user" and expressly prohibits EULAs as a vehicle:
22947.1.(b) "Authorized user," with respect to a computer, means a person who owns or is authorized by the owner or lessee to use the computer. An "authorized user" does not include a person or entity that has obtained authorization to use the computer solely through the use of an end user license agreement."
The contradiction is clear, how it will play out is not. If I click through Microsoft's Windows updater, have I signed onto having my computer monitored for copyright infringing works? What are security purposes? Microsoft's EULAs clearly grant them power to do these things and exercising those powers is a violation. We will see if some companies are allowed to violate this law while others are punished.
Friends don't help friends install M$ junk.
1. Get a copy of Spybot
2. Run it on all your PC's. Statistically each PC will have on average 28 pieces of spyware on it.
3. DO NOT FIX THE PROBLEMS!!! They are now evidence!
4. Carefully research each piece of spyware found by Spybot to see if you can sue the makers for $1000 each.
5. If you find anything, call your lawyer.
6. Profit!
How am I supposed to fit a pithy, relevant quote into 120 characters?
For once this is a computer law that doesn't supplant technical solutions. Now, spyware that installs itself without you knowing it works only because a technical flaw in the computer and you can penalize it all you want but you won't be getting rid of the vulnerability.
For other things which piggy-back on other programs this seems to be the only feasible way. Since it technically gets installed by hand there's really no hole to plug.
As much as virii and spyware (malware in general) is a problem there should be a clear distinction between what can be penalized and what can't. Things that prey on the gullibility of users should definitely be outlawed like any other con artist's scam. Things that have technical solutions should really rely on technical solutions. Don't fall into the habit of thinking that a strong law will plug your security holes for you.
If squirrels are getting into your birdfeeders don't advocate municipal squirrel destruction, buy a birdfeeder with a squirrel guard. (If you want to shoot the squirrels anyway that's your own prerogative.)
Direct away from face when opening.
This shows that engineers have failed to do their jobs and the governance of software has fallen into the hands of politicians. This is not good.
Unfortunately, I don't see how the ban on installation of software that can be used to take over another computer... can be enforced, without completely outlawing any software upgrade service. Maybe the law is better worded than the article, but from experience I have my doubts.
I'm an American. I love this country and the freedoms that we used to have.
I mean really now, I hate MS as much as anyone but you can set off a bomb with a Timex watch. Do you sue Timex for making an unsecure watch, or the people who rigged it to the explosives?
The revolution will NOT be televised.
As its advertised as to what it is,and it takes the users express intervention to install it..
If theywere to honestly go after something like that, which has the users permission... then even microsoft would be toast.. ever hear of SMS, or even AD? It's all about 'remote control'...
Nah, VNC and related software is safe.. Now if people USE it improperly.. They could be fined, but they would have committed other crimes in the process anyway...
---- Booth was a patriot ----
I can see their new laws now: "Do not install spyware, or Arnold will personally come and terminate you!"
It may be a useless bill, but at least they are trying. I think it is a step in the right direction.
roamingfeet
Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications ...
... the software provider is allowed to monitor your private machine and you connection. This does absolutely nothing to stop spyware-riddled software from being sold to unwitting consumers.
carrier, cable operator, computer hardware or software provider, or provider of information service
So
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
I wonder if I can get a $1000 dollar for each of those.
Given that most dollars only cost $1, I don't think you'll have any success in finding a $1000 dollar. If you do find a dollar worth $1000, let me know -- I'd love to cash those in!
i've heard about this law. i just wonder if what the RIAA is doing, http://it.slashdot.org/article.pl?sid=04/12/31/155 3231&tid=95&tid=97&tid=172&tid=17 will be criminalized (as it should be).
Is it 5:30 yet?
Fatally flawed.
However, most state legislatures have a few members on a clean up committee, usually called something like a "Legislative Review Committee," to recommend changes to existing law.
I strongly recommend you find out who they are for CA and encourage Slashdotters to lobby them.
At the risk of being too vague (much like the article), I get the feeling this law will be used selectively in cases of "I know it when I see it."
There's a big difference between services that COULD be exploited (SSH, AD, VNC), data-miners or adbots (Claria, MyWebSearch) and the real nasties.
Think CoolWebSearch *spit!*, VX2/NicTech and SecondThought. Each of those is considered malicious software in addition to spyware/adware because they install via exploits and use backdoor access to generate revenue.
SecondThought can change your start page to kiddie porn. That is a major liability. CoolWebSearch is next to impossible to remove. VX2 compromises Winlogon: it's a rootkit. The methods by which these things work already fall under the existing definition of computer crime.
Now Adaware and Spybot can finally get paid if states would let Adaware and Spybot represent affected computer users. Something like 20% to Adaware or Spybot and 80% of the 1000$ to the affected user or the user's charity of choice may be good enough incentive to "make it stop".
I don't even have to read more than the few sentences posted here. Considering the whole purpose of the legislature these days of capitalist enlightenment is to ensure businesses can rifle through our wallets with impunity and our whole job is to consume, I am sure every commercial entity will find the loop holes since I am sure 'they ' and their lobbyists crafted this self-contradicting nightmare bill. Its 'feel good' legislation at its finest. Kind of like invading Iraq: it didn't solve anything, but it made the public feel good for a while. I'll bet no one is ever prosecuted under this--ever. Even the RIAA's putting spyware in WMA files on P2P hosts will be exempted I am sure.
If you want the government to babysit you while you use your computer it's the right direction, maybe. Personally I'd rather get the government out of regulating software.
which was a Good Thing for people who owned fax machines about a decade ago. Junk faxes were about to make faxes useless just as fax machines were becoming affordable and many small businesses were getting them, but they virtually disappeared from the face of the Earth when this became law. The only reason junk faxes still exist at all is not enough people are aware of the law.
This may not work as well for malware, as many of the creators are not only NOT in California, they're not even in the USA.
Tag lost or not installed.
If you read the whole sentence though, all those entities can only monitor your computer for the purposes described, such as repair or authorized updates.
The scary thing about that is pointed out in the post just below yours: one of the purposes for which basically any program is allowed to monitor you is "prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software." Say hello to a wave of RIAA-sponsored MP3-eating worms that are protected by law... wonderful.