Washington State Outlaws Spyware

An anonymous reader submits "Today, the Governor of Washington signs a a bill outlawing spyware (bill history) which imposes penalties of $100,000 per violation. Spyware is broadly defined. It includes everything from changing a browser's bookmarks or homepage settings, "Opening multiple, sequential, stand-alone advertisements in the owner or operator's internet browser", keystroke-logging, taking over control of the computer, modify its security settings, and even "Falsely representing that computer software has been disabled." But here is my favorite: "Prevent, through intentionally deceptive means, an owner or operator's reasonable efforts to block the installation or execution of, or to disable, computer software by causing the software that the owner or operator has properly removed or disabled automatically to reinstall or reactivate on the computer." Microsoft and Ebay both testified in support of the bill. On May 10th, a similar law banning Internet and email phishing was also passed."

Realplayer now illegal? hopefully

[Toby+The+Economist]

RP is a complete pig to remove.

Wonder if it's now illegal?

In fact, I'd like all third-party hidden-startup applications, which generally are unwanted and adopt this method since they know they'd be removed, to be illegal. I get VERY annoyed when other people feel fit to try to force their software into *MY* computer. How would they feel if I came into their front room and took over the remote control?

--
Toby

Agreed-hard to enforce

[Coopjust]

Hard law to enforce. If it was a national law, then it would have some effect. Hopefully it doesn't become "National weak law" takes over "Strong state law" like can spam

Outlook Express

[McGiraf]

Outlook express will re-copy its files next time explorer is started if you delete them.

at $100,000 per violation that is $100,000 * the number of windows instalations out there, I think microsoft is going broke!

Re:I see why you like that line

[tehshen]

That is not a bad point, in general - if I write a program with a security vulnerability, and people use this vulnerability to install spyware on people's computers, do I share the blame with the spyware writers?

Class Action Lawsuit

[benspikey]

Consumers and the state attorney general would be able to seek damages up to $500 per violation, or actual damages if phishers try to get consumers' information. Victimized Internet service providers could get $5,000 or actual damages. Judges could award an ISP three times the amount of fines if they so choose. Alright who wants to sign up with me.. We get 1000 systems download bonzibuddy and weatherbug and make a fortune. or at least have fun trying.. :)

where are the teeth?

[spamchang]

or dentures, at least, for this bill?

i want to see people paying up the wazoo for this: collection agencies pounding down doors, spyware companies going belly up, class action suits, the like. hell, if they put filesharing on the same penalty level as involuntary manslaughter (because you know those two are equally evil in the eyes of MPAA/RIAA/congress), why don't they send spyware companies to bankruptcy? /annoyed

Mod this bill redundant?

[mr_Spook]

Okay, it might just be me, and I might just be an idiot here, but isn't spyware illegal already, since it's modifying the contents of my computer without my knowledge or authorization? To me, it seems that spyware makers should be prosecuted just like anyone else who writes malicious code (viruses, trojans, worms, and so on).

Any technically-literate lawyers have a comment on this?

Re:Mod this bill redundant?

[zappepcs]

I think that any bill or law like this has all the teeth that the law against anal intercourse does in Texas. Its only used to prosecute those that the government and/or its most ardent lobbyists want to prosecute, at which point legal action is rammed through (so to speak) in a way that makes it very difficult for anyone to defend themselves should they be the target of this type of law.

Any law that is practically unenforcable is only ever enacted in order to have it handy like a law against rats being in your garage, so its like a big baseball bat for when you think you see a rat in the corner of the garage.

To me, this signifies that the lawmakers of Washington state, and their lobbyists are guilty of one of two things:

Complete ignorance and ineptitude regarding the Internet and how it actually works
- or -
Collusion with certain parties in order to help those that they want to help and to hammer those they don't...

Seeing as Redmond is in Washington state (duh) I can only image that the reason for this is to further the plans of Microsoft.

just my thoughts...

AOL's AIM

[yrogerg]

Have you ever tried installing AIM from AOL? It install links everywhere regardless of if you tell it 'no' in the setup process. Maybe they'll finally change this.

Too bad it'll never bite the **AA

[SocialEngineer]

Considering their actions (through contraction of Overpeer) to smuggle spyware in through windows media files..

Re:Realplayer now illegal? hopefully

[plover]

Try removing HP printer "drivers" some time, or "desktop helpers" that come with video cards, sound cards, TV tuner cards, MP3 players, Bluetooth dongles, printers, scanners, faxes, cameras or any other peripheral your PC may have seen on a TV commercial.

As far as I'm concerned, start arresting them all. I don't want their sh!tware on my box. I want their stuff to sit there nice and quiet up until the moment I want it to do something, and then I want it to do nothing extra. I don't want a pop-up "toolbox" to fix my printer; I don't want a noisy "Lookie what I printed for you, John, aren't you proud of my wonderous inkjets?!" dialog box. And when it's done I want it to get the hell out of my way. Completely. Don't ask me to update, don't leave a tool tray icon behind, don't leave a task running in task manager.

If all this requires sending a few developers to Federal Pound Me In The Ass Prison, all I can say is "don't drop the soap, guys."

Real Player

[m00nun1t]

Like many others, I consider Real Player to essentially be spyware.

I think (correct me if I'm wrong) that Real are based in Washington State. So what's the impact here, for both current and future versions of Real Player? Would make an interesting test case.

Re:The Search For Credible Evidence Continues.

[c0d3h4x0r]

I imagine this won't put to rest the rumors of spyware in their recent players

That's because you're misunderstanding the "rumors" (which are not rumors, but facts, by the way). The problem is that Real's software (maybe not the very latest version, I haven't tried it, but for relatively recent versions this is certainly true) IS spyware in and of itself, because it (1) deceives users into installing stuff or signing up for stuff they didn't want or expect to be signed up for, (2) deeply integrates itself into the system in a variety of unwanted ways, and (3) makes itself almost impossible to cleanly and completely uninstall.

Re:Not sure how I feel...

We can start enforcing the law with Microsoft. MSN Messenger runs at startup even when I've specifically set the options telling it not to do so, and many other people have had this problem, so under this new law it's spyware because it "falsely represents when softare is disabled". Let's see...$100k per copy of Windows...

Silently installing DRM enforcing programs?

[emarkp]

Hmm.. Recently I played Splinter Cell: Chaos Theory, which installed StarForce without my knowledge or consent--and which doesn't uninstall ever unless I download the uninstall tool.

Would this violate this law? I think it should. I wish I'd known about the StarForce installation--I wouldn't have bought the game.

Copy Protected CD's

[complete+loony]

And the driver that copy protected CD's install without your permission to prevent the tracks from being ripped? I had to clean up one of these last week while I was ripping music for my father in law's new iPOD....

Great and everything...

[Zach978]

I like it, but I don't like legislators getting used to writing bills dealing with the Internet...

They get their foot in the door and we might be in trouble...

Enforcement?

[Chris+Burke]

Off topic, but tangentially related: Austin, TX recently passed a city-wide smoking ban. On the news a couple nights later, the anchorwoman said: "With Austin's voter-approved smoking ban coming into effect soon, people are asking how it will be enforced."

Oh, I'm so glad they thought to ask about that tiny, niggling issue of enforcement after voting for it.

And you're right, enforcement is going to be a big issue here. How many spywhores are operating in Washington? How many are operating in the U.S.? When enforcement gets difficult, then enforcement gets selective. The question always is: who is going to do the selecting? That becomes the deciding factor in what the impact of the law will actually be. If it is Microsoft, woe be unto us.

Mod Parent Up

[Rocketship+Underpant]

The parent makes a very good point. A lot of sleazy Digital Restrictions Management software uses spyware and malware tactics to control your computer. After all, it can't work without restricting your use of your own system to some degree.

Can Washingtonians now sue record labels that use malware to prevent CD copying? That would be a terrific step towards ending such nonsense.

Section 5 pretty much invalidates the whole bill

[billstewart]

• 1 - Definitions
• 2 - Intentionally deceptive evil things banned,
• 3 - Illegal to transmit software that takes control of computer or changes security-critical settings,
• 4 - Illegal to deceptively induce owner/operator to install software for security/privacy/viewing, or to execute software that installs software.
• 5 - Covers the ass of ISPs, carriers, hardware and software vendors, service providers, etc. installing, monitoring, managing, or upgrading things or detecting illegal use of networks, services, or software.
• 6 - Penalties
• 7,8,9,10 - Legal technicalities and boilerplate.

Section 5 is directly intended to protect people like anti-virus companies updating their products, Microsoft doing operating system updates, Digital-Rights-Management software companies running licensing spyware, ISPs doing security stuff, etc. Real Networks appears to be pretty thoroughly protected here. But just about anybody selling software is protected, even if it's ueber-blatant spyware, as long as they don't falsely claim that they're the *only* way to view some kind of material when they're not. And the bill makes the classic passive-voice mistake of referring to "authorized" updates and "authorized" remote system management without saying *who's* authorizing it to do *what* to whom. So my software company, Evil-Ware Incorporated, authorizes anybody to install our product on their computers and use it to update their browsers, and we'll be monitoring your machine to make sure you're not using it in ways that violate the 347 pages of fine-print licensing terms that you agreed to when you clicked the "Yes!" button, including Page 157 where you agree that you've read the whole thing and understand it.

It's probably impossible to write a good anti-spyware bill. Not only are legislators and their staffs not skilled enough to recognize the subtleties, but they're under pressure from major manufacturers not to interfere with various software or content licensing products, which are essentially legitimate spyware. Furthermore, it's extremely difficult to draw subtle legal distinctions between edge cases (with a $100K penalty for the loser) when the legislators aren't smart enough to apply the equivalent of the "I know it when I see it" obscenity test. Think about the differences between an email message or web page containing

• a 1x1 transparent GIF HTML tag (obviously a web bug) sent by someone evil,
• same web bug sent by the listbot for a mailing list you intentionally subscribe to,
• an HTML IMG URL that also displays an ad for the usual canned-spiced-meat products,
• an HTML IMG URL that displays the logo of some advertiser or author but isn't tracked and doesn't have the recipient's address or other identifier,
• the same IMG with a URL that does have a query identifying the addressee,
• the same IMG with a URL that is tracked but doesn't identify the addressee,
• the same IMG with a URL that doesn't directly identify the addressess but could be indirectly used to do so if somebody queried the web server logs and correlated them with other databases,
• any of the above, where the image says "Click Here for More Info"
• any of the above, where the image says "Click Here To Be Removed",
• animated singing-dancing humorous video image from some streaming-video provider that tracks recipients by IP/cookies/etc. that you requested
• same video that your Mom forwarded because she thought it was funny when one of her AOL buddies sent it to her,
• same video, sent by spammer who gets paid by the number of people who watch it
• etc. etc. etc. - You can think of dozens more subtly different cases, but you're reading Slashdot, so you're almost certainly more technical than 99% of your legislators and 95% of their staff people.

How about an industry-wide prosecution orgy?

[quag7]

Like many here, I think this law will do a whole lot of nothing.

But as for the comments about Windows and its security holes, and how we should blame Microsoft, I don't agree with this either.

I don't think criminals who break into your house shouldn't be blamed because lockmakers, doormakers, or windowmakers (no relation) should have made their wares of sturdier materials.

People use Windows out of momentum and because they feel they have no choice. Microsoft would clean up its act if consumers forced them to by using other products. A variety of circumstances have largely prevented this from happening.

Mac users have felt that their experience has been better for many years, and have often wondered why anyone would choose a PC over a Mac - especially now with OS X which, they say, rocks harder than a llama with a chaingun and free calzones.

I have seen people complain about the smallest changes on their systems, including point upgrades to browsers or MSOE upgrades.

People aren't down with change, especially on things they think of as complicated devices. Those of us who read Slashdot are, I am sure, far more flexible and adventurous in this regard, but I don't think we in anyway represent consumers as a whole.

Microsoft could probably commit genocide, and people would still use Windows. They could declare themselves as a nuclear power in Redmond, and people still would use their products. Not because they are the best (a minority use them for this reason, but not, I think, most people), but because it is what they are used to, and have become used to and really don't want to learn something new, along with its attendant frustrations, hassles, and time commitment.

People use Windows because they would rather eat glass than have to re-learn a new interface or OS, because, for many, computers are a sad fact of life, as opposed to a fulfilling hobby or something they would choose to spend time using.

That being said, spyware authors are degenerates, and deserve, basically, what they get.

But here's an idea.

Corporations do not ordinarily prosecute virus writers, phishers, spyware authors, and people who crack their systems for a variety of reasons. One is the cost, and two is the embarassment of being compromised.

What if all of the major corporations and banks secretly decided to do a collectively lodge a wave of lawsuits all over the world. Coordinate with governments abroad and just do a year of scorched earth prosecutions of these folks, and promise to follow up with regular "waves" of prosecution, but not say when. In the intervening time, companies would be free to prosecute or not prosecute (or sue) who they like, but they would agree at regular intervals to time their lawsuits to make a massive public statement that they and their customers are sick of putting up with this crap.

This would probably go further as a deterrent since clearly laws and civil suits as they are undertaken now, have not had much effect.

Countries can bring economic pressure to bear on other countries which, mainly through lack of resources I imagine, do not prioritize investigating and prosecuting computer crimes.

Imagine if you rattled the cages of these degenerates in a way that produced not only actual prosecutions, but revenue to follow up with more waves at unannounced rituals? That might have a deterrent effect.

Of course, the question of whether you like the idea of governments exercising their power this way, is certainly valid.

I do not like government. I wish we did not need it at all. I am not so convinced however that since we have it, that the government should do nothing whatsoever when it comes to these kinds of crimes. These crimes have considerable consequences for many, not the least of which is the erosion of confidence in the internet in general as a valid medium of economic, intellectual, and cultural exchange.

Try as I might, I cannot think of a reason why vandals

bill may be unconstitutional

[arbitraryaardvark]

Since the software has no way of knowing what state it's being installed in, this is like if your town council tried to regulate, or ban, the internet.
Earlier this week the Supreme Court held that regulations interfering with out of state wine sales violated the constitution's dormant commerce clause. There have been half a dozen cases, e.g. ALA v Pataki, that say states can't regulate online smut, on commerce grounds.
A person charged under this bill could sue the county/city where he was charged, for violating his civil rights to commerce.
So the bill may just be a bluff.
Has anybody who is literate as to both spyware and legislation evaluated this to see if it hits the target? Does it ban spyware, and just spyware, or are there legitimate apps that would into trouble with this?

Phishing as Fraud vs. Attempted Fraud

[billstewart]

When the phisher sends you email saying "Get a Great Credit Card / Mortgate Today - Send me all your information!" it's not fraud unless you actually give them your info and they use it to rip off you (or some bank, etc.) It is spam, and you'd like it to go away. And it's easier to prove that somebody broke a phishing law than to get your money back.

"This is EBay/PayPal/SomeRealBank/eGold/etc. - Give me all your info", that's lightweight no-money-stolen fraud, unless you give them your info and they use it, in which case it's bigger fraud. The smaller fraud isn't typically worth the effort of the police to track down. EBay/SomeRealBank/EGold could go after them for trademark infringement or something, but you've probably noticed that eBay/PayPal and most banks haven't even bothered to use SPF on their domain names to make it easy for your mail server to discard mail, so that tells you how much *they* care. (SPF's not perfect, but it's a start.) If they steal small amounts of money from you, depending on your state's thresholds, it's still petty enough that the police are not likely to bother with it, and they'll probably find that it's interstate commerce, so it's the Feds' problem to deal with it, and it's almost certainly too small for them to bother with either.

Adding Phishing as a separate crime raises the potential penalties enough that the state police might find it worthwhile to go after a phisher just for sending out the email, if there's a $100K fine or a $100/message fine times a million messages or whatever. In reality, of course, it's almost certainly an interstate crime or an international crime, but at least Washington State gets to spank Washington-based phishers even if they can't extradict someone from Florida or Russia, and they're more likely to be able to extradict them if there's a felony with a $100m potential fine than if there's a misdemeanor with 30 days in jail.

And like it or not, police do prioritize crime-fighting effort based on dead bodies and violence, big amounts of money, political-correctness crimes like drugs, or things that bring revenue to their departments (like traffic tickets). That's not all bad - unless the legislature tells them something is a real priority by attaching lots of money to it, they're going to ignore that spam you're receiving and spend their time worrying about any recent murders and rapes, responding to complaints about street-fights and maybe domestic violence, give out $200 tickets to people with burned-out taillights, and *maybe* deal with stolen cars and laptops, though the probability of success of those two is low enough it doesn't get much effort unless they're busting a suspected fence anyway. If you lost $1000 to a phisher, and you're a grandmother, they'll feel sorry for you, and if you're a yuppie they'll laugh at you after you leave the room. If you're a *bank*, and 500 of your customers have lost $1000, then that's enough that they'll be interested, and anti-phishing laws make it easier to get evidence to catch the successful phishers and stomp on some of the riff-raff along the way.

Re:Realplayer now illegal? hopefully

[plover]

-5, wrong. But thank you for playing Slashdot.

HP has been the poster child for how to install crap the wrong way in Windows.

Set the wayback machine for the late 1990s. I bought a fast, expensive HP inkjet. When I got my brand new printer home and tried to "install" it, the "installer" wanted me to run their stuff. Having had prior experience with HP crapware, I said "no thanks, I'll install it myself." So I clicked up the add hardware lizard, and said "I'll for search myself, and I have a disk, thank you." When I selected the correct HP driver, only a dialog box appeared, informing me "ERROR: You must run SETUP.EXE from this disk in order to install the printer driver."

Yes, I'm sure I could have un-cabbed whatever real driver files there were, made dozens of appropriately arcane registry entries by hand, and had a mostly unstable printer driver at the end of a very long day. Instead, I opted to run their SETUP.EXE.

I failed to recognize my real mistake was in not bringing the piece of sh!t printer back to the store on the spot.

So, I lived with the pop-up printer boxes that interfered with Print Managers inherent ability to deal with an out-of-paper situation all by itself. I learned to cancel the toolbox, load the paper, don't cancel the print job, and basically twirl myself around. (That's what it's all about.)

Well, fast forward to two years ago. Stupid me, I plunked down more money for a portable HP photo printer. Ye gods, I'm still plucking crap out of the registry today for that stupid decision. So, I vowed to never purchase HP again.

Having had generally good experiences with IBM printers at work, about a year ago I switched to a Lexmark all-in-one.

Yes, the quicker of you have already begun typing "you dumb *&^%$" into the reply box.

This pop-up nuisance makes my HP experience seem almost divine. By default it's got to use a digitized voice to talk to me about every print job (better have the speakers turned down for those 2:00 AM print tasks.) It clutters up the toolbars, and the task manager. Right now, I can count at least four running tasks that exist so I can do what, ask it for a piece of black and white paper? What heinous fiend sold Lexmark (and by extension me) this crapware? And what prison can I not visit him in?

No relief for oe, ie and wmp?

[sl4shd0rk]

"Computer software" means a sequence of instructions written in any programming language that is executed on a computer. "Computer software" does not include computer software that is a web page, or are data components of web pages that are not executable independently of the web page.

----

Seems to me they are classing the "spyware" or "Computer Software" independantly of anything you can catch online - with outlook, ie or media player. wtf?

Re:I see why you like that line

[CaptRC]

I don't agree that you should be held accountable for writting poor code, riddled with vulnerabilities. If your app works, then so beit. Accountability falls square on the person with "malicous intent" and nobody else. I have been stricken and subsequently resolved a Browser Hijack recently. And yes, I've switched to FF over IE-6 as a result. But I would not consider Willie G's people at fault for wasting two hours of my life... For that I blame who ever it is that wrote the hijack and to a much lesser extent myself for leaving the doors un-locked. just my 2-cents. Thanks, RG