House Passes Spyware Bills

stinerman writes "Today the house passed two bills aimed at stopping spyware / adware and unauthorized use of computers. H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'. H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information. Both bills sailed through the house and are expected to be passed by the Senate."

Phew!

[CommunistTroll]

I was beginning to be worried about spyware, but now that Congress has stepped up to the plate all my worries are over!

There'll be no more spyware by Christmas, let me tell you.

Re:Phew!

[PDP1134]

Protected computers...protected computers... Unless you work for Uncle Sam or a bank, you're pretty much out of luck. This bill excludes more than 90% [no, I don't know the exact number] of computers in the US since they are either personal computers or business computers not covered. Wouldn't a simpler definition and law have been: A protected computer is a computer that is present on US territory or owned by the US Government and stationed outside of the US or in the possession of a US citizen while outside of US territory. Any attempt to deceive, in any manner, the owner or operator of a protected computer is illegal. Any modification or addition to the software or hardware of the computer with the intent to add, alter or remove information, copy information to remote sources, or otherwise deceive the computer user or owner of the computer is illegal. These idiots in Congress are defining web browser settings and cookies in the law! Things change, technology moves on. What about RFID chips? Eh? What about...oh heck. Make the penalty death by public flogging upon arrest (no trial) and after the first few are dealt with the rest will start to...no...I was just about to say think. Spyware authors don't think -- and they certainly don't have a concience.

Re:Phew!

[chicago_scott]

Congress. Is there any part of American's lives that they can leave alone?

Spyware with permission?

[Kinky+Bass+Junk]

What about spyware that asks permission before it installs, like Gator and all that. Is that sorta thing covered in this?

Re:Spyware with permission?

[FidelCatsro]

I imagine it would be if it asks for permission to do so explicitly

Re:Spyware with permission?

[NickFortune]

I suppose it's going to come down to what the courts deem as authorisation and deception. Disclaimer: IANAL, I have not yet RTFL.

I'd expect not for things like Gator, since that would be "authorised" access to your computer, with you authorising it. Spyware that comes bundled with other code could sneak past by havting the authorisation burined in the bundling software licence agreement.

On the bright side, it should make the covert installation of spy/malware from a web page illegal. Or maybe more illegal. Of course, those who argue that web page access entails an implicit social contract are likely to feel they have been granted all the authority they need.

I'd guess it needs to be tested in the courts before we can tell wether this is going to be a CAN-SPY bill or not.

Re:Spyware with permission?

[diegocgteleline.es]

Most of the spyware I've seen is legal. They just use tricks to make you agree ("press ok button to get pr0n videos" and then in a small box a contract or whatever saying "if you press ok you agree with...")

Lots of spyware is installed by installing programs that bundle spyware with them. Kazza, divx, etc. People just press "OK, OK, Next, OK" even in the license field. Cookies are used sometimes as a spyware too. This bill is not going to change anything for those.

Re:Spyware with permission?

[dromeditor]

ALL spyware/adware asks permission at one time or another. Whether you click yes on a popup, click to allow an activex control, click next on the install of an adware supported program, click run on the wrong download, or click yes saying you read the license agreement, in the end, the reason for the adware is ALWAYS the user. If anyone ever stopped to read the EULA of any of the programs they install, they'll realize why they have adware. You allow full control and installation of new programs whenever the program wants. Once installed, it can be damn near impossible to get rid of, but it was your fault in the first place. And do not even try to blame microsoft for the adware. You can blame them for not knowing what software is installed on their operating system, but that's because xp is based on nt, which was designed for internal networks with IT departments. The solution is in encrypted installations much like how consoles work. Alex St. John has some pretty good articles on what Microsoft needs to do to fix that problem. But adware asks at least once. If you allow it, you're allowing as much adware as the one program can download. In the end, USER ERROR.

Re:Spyware with permission?

[dkleinsc]

IANAL, I have not yet RTFL.

Don't worry, neither has most of Congress. ;)

Re:Spyware with permission?

Spyware that loads on my machine while I am viewing a web page, with no pop-ups announcing its intent, is certainly not a part of your over-generalization. I recently (after years of being 'safe' from spyware) visited a site I go to nearly every day; since that day my machine has been spywared to death. The webmaster soon advised via email that yes, his server was compromised, and I was one of many lucky recipients.
Not ALL spyware asks your permission.

Re:Spyware with permission?

[rnturn]

``then in a small box a contract or whatever saying 'if you press ok you agree with...'''

Oh, yes. The popular view window that Windows love using that allows you to look at a 1,200 line file three lines at a time. Everyone, and I mean everyone, just loves that. After encountering one of those, does anyone actually spend time wondering why people merely click through without reading the effing EULA? Not that a resizable window would cause everyone to thoroughly read the legalese but it would at least make it possible.

Luckily, the masochistic of us will have discovered that the contents of that 3-line window can be copied onto the clipboard so you can paste it into something that makes reading it easier. (That doesn't work, of course, when you're installing Windows -- "Uh, paste it where?" -- but for 3rd party software it should be standard procedure.) Just ignore that BS about shutting down all other programs while installing the software. I mean, if the installer can't work properly because you have a copy of Notepad running... they're trying to hide something from you.

Re:Spyware with permission?

[bonk]

I don't think it's fair to lay the fault at the feet of the user. Although most (not all) spyware does ask you, they usually do so deceptively, in layers of legal speak and generally unreadable non-understandable contracts. Have you ever tried to read a EULA? Most of it will go above your head or put you to sleep. They count on that.

And, as another issue, they are using YOUR resources to collect information about you. I don't mind as much they use their own resources, time and effort to collect information, but when they use my computer, my ram, my cpu cycles, my hard drive and my electricity that I pay a bill for to gather information about me, even if they 'asked me' buried in some 30 page EULA, I have a right to be pissed. I'm glad Congress is doing something about it.

Re:Spyware with permission?

[blitziod]

why not just mandate that ALL software that generates and ad must be EASY to UNINSTALL and must be VISIBLE when running.

Re:Spyware with permission?

[dromeditor]

Let's get something straight. ALL (yes, ALL) adware asks permission for installation. You cannot get adware with a fresh installation of windows even if you went to the shadiest sites on the Internet without clicking yes to something. Once you click yes to that one thing, the adware that's installed may install other adware....it's all included with their EULA. But you will never get any adware without user interaction. (Viruses not included; I'm talking about adware)

If you're using someone's software, it's your responsibility to read through the EULA. I don't care if it's legal mumbo jumbo or not; you downloaded and installed someone else's product that came with an agreement. It's technically illegal to use the software if you don't agree with the EULA, so again, your fault for not reading it. If you don't want to read it, don't install it.

And since you did install that software on your own accord, any cpu cycles or electricity that software uses is your responsibility. You installed it.

Once again, if you leave a program running on a fresh installation that opens internet explorer windows to random sites on the internet, you will not have one piece of adware on that machine the next day. I don't see how you can pass laws against software that comes with an agreement that people ignore and then complain about later. You cannot outlaw stupidity.

Unenforceable?

[Dancin_Santa]

This is a great step, if only in spirit.

When the spammers and spyware makers start getting fined and sent to jail I think we'll have something to crow about.

Until then, it's just a feelgood law.

Re:Unenforceable?

[__aaclcg7560]

When the spammers and spyware makers start getting fined and sent to jail I think we'll have something to crow about.

As the old saying goes... what we need to have is several sensational murders involving spammers to significantly reduce the volume of spam. Once the spammers figure out that the cost of a few million emails is their lives, they will quickly find alternative employment... like processing missing backup tapes from banks.

Re:Unenforceable?

The problem is, we don't pay lawmakers, their staff, their aides, fund their offices both at home and in DC for them to pass ineffective laws, whether it be concerning spyware or anything else- we incur these costs as a society for a greater good. If someone wants to feel good, they should get a hug from Mommy. But if the law's ineffective, these people aren't doing their job. That isn't a great step, in my eyes...

Re:Unenforceable?

[redog]

Or like most other vague laws put in place by lawmakers, enforcable where it wasn't intended to be. I can immagine some a-hole lawyer using this to criminalize "hackers" so he can gain political position.

"or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code"

Say goodbye to defcon!

so...

[sbeam.dk]

now all spyware companies is gonna outsource to india instead?

Re:so...

"Dude!" is a sentence fragment , Till you learn correct grammar and spelling(your misspelt Grammar), I think you should bite your tounge on correcting others

Re:so...

[treff89]

(1) There should be no space between 'fragment' and the comma, and this should be a fullstop anyway; (2) 'till' should not be captialised, there should be a space in between 'spelling' and '(your'; (3) 'your' should be 'you've' as in 'you have misspelt 'grammar', and 'Grammar' should not be capitalised; (4) 'tongue' is spelt thus. Correctly written, this statement should be written: ""Dude!" is a sentence fragment. Until you learn correct grammar and spelling (you misspelt 'grammar'), I think you should bite your tongue before correcting others." -- Said statement obviously applies to the AC himself. I'm not going to post anonymously, just pointing out some irony.

Re:so...

[Simon+for+$1]

When will people learn to just let the grammar errors go? I know it's hard, but just ignore it.

BTW, "Dude!" could also be an interjection and it's just fine, although I'll agree with you on the total waste of a post.

Re:so...

This is not an informative post. Mod down! I wish I had points..

Re:so...

[Lil-Bondy]

"SENTENCE FRAGMENT"
"But 'sentence fragment' is also a sentence fragment"
*shifty look* (you know the rest)

Re:so...

You probably would have more mod points if you made actual relevant posts under a real /. ID. (not like me)

Re:so...

Somebody please mod the parent "Funny"! It's the most abyssmally pathetic prescriptive post yet!

However, because you've become stupidly picky:

1. misplaced comma
2. "Till" is not a word
3. "misspelt" is misspelled
4. misplaced parentheses
5. "tounge" is misspelled
6. missing a closing period
7. "on" used in place of "when"

The term 'spyware' has fuzzy definition

[guyfromindia]

http://www.eweek.com/article2/0,1759,1788844,00.as p According to this article, leading anti-spyware vendors are working with the nonprofit Center for Democracy and Technology to develop guidelines for defining spyware.
When the very definition of spyware is hanging in balance, I dont see how they can strictly enforce the law.
My 2c.

Re:The term 'spyware' has fuzzy definition

[FidelCatsro]

" H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices' && H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information."

I think that pretty much covers what is defined under the bill , These companys can try to rename it all they want ,But if it falls under these classifcations (read the bill for more clarity) then its illegal(well will be when the bill passes)

Re:The term 'spyware' has fuzzy definition

[a_n_d_e_r_s]

A spyware maker's defense:

"Thats not spyware! Since they have visited my website they are my customers and thus I therefore have their expressed permissions to install software on their computers to be able to send targeted promotions to them. "

Re:The term 'spyware' has fuzzy definition

[TheKnave]

Of course spyware needs to be defined - and a definition can do a lot - IMO it should be something along the lines of this:

"Any and each piece of software that gathers information related to the usage of a computer without specifically notifying the user of that computer of its exact purpose and intended recipients as the first, underlined, in bold, succinct and sufficiently persistant, to be easily readable, installation message - to which the user must agree in order for installation to continue. Further, non-spyware must notify the user at each instance at which it transmits collected data (which it must display in readable form) to its recipients."

Personally I think an appropriate punishment for repeat offenders would be tattooing '1 pWn j00 d4t4' or something similar diagonally across their smug little faces - and quietly removing the penality for anyone who kicks them in the knackers ( or whatever ) with a sufficiently long runup.

What's the catch?

[__aaclcg7560]

I wouldn't be surprised that if you allowed one piece of spyware to be installed, it would be automatically assumed that you want more spyware installed. It's like getting married to one person and finding out that all the in-laws are moving into your new place with you.

Re:What's the catch?

[Vince+Mo'aluka]

The catch is that we already have laws to deal with trespassing and unauthorized acces, and this latest added complexity is just another way to expand the size and scope of government.

Re:What's the catch?

Or maybe, just maybe, it's to clarify existing law, close any loopholes, and make it unambiguous. I really don't see why making spyware illegal is "expanding...government".

TCPA?

[The+Creator]

Any chance this law bans TCPA too by accident?

RTFA , If not then the summary

It does not matter what they call it , the bill defines the actions of the software .

Unintended consquences

[lotussuper7]

Well, I'm not the legal wizard, but the first thing I thought about was will these bills have unintended consequences like the DMCA?

I'm sure that Congress-critters didn't intend companies using the DMCA as an agressive legal weapon it has become.

What twists will these bill's be given to turn them into tools for the harassment of honest people?

Re:Unintended consquences

[surprise_audit]

I'd imagine there'll be something like a disclaimer appearing at the bottom of certain web pages. It'll say something like:

By displaying this page you agree to the following statement: I love spyware, load me up!!

in a very small font.

Re:Unintended consquences

[sound+vision]

The DMCA's consequences were quite intentional. The recording industry bought that legislation.

Re:Unintended consquences

will these bills have unintended consequences like the DMCA?

What on earth makes you think that the DMCA's consequences were unintended? The RIAA and MPAA wouldn't be getting their money's worth if it was all done by accident, would they?

Re:Unintended consquences

[mankey+wanker]

I think you raise an interesting point. The hope is that legislation is written correctly the first time. In reality, and very much like code, laws require ongoing tweaking and maintenance. At least the heart of this law is in the right place. The implementation is probably all wrong and subject to being rewritten later on.

Re:Unintended consquences

[QuantumPion]

I think the problem is the all-inclusive and all-powerful EULA's. When joe someboy decides he wants to install the new version of weatherbug, he doesn't read the EULA when the installer asks "do you agree with everything in the licensing agreement", which can contain whatever the spyware companies need to justify the legality of their malware.

I think it should be made that EULA's are not allowed to contain anything except information about the license agreement. No specific actions or clauses such as "by installing this software you agree to let us install third party malware and divulge your personal information" are allowed.

For any agreement that does an action, such as install some third party crap, the installer has to explicity ask the user whether he agrees to install it in a plain, short, easy to read dialogue box.

Re:Unintended consquences

[MC68000]

I think that grandparent is refering to other things like the inability of of Photoshop to read Nikon raw images or the inability to reliably stream iTunes music

Re:Unintended consquences

[orderb13]

How is not reading an EULA any different from not reading any other contract?? Government is NOT there to protect people from their own laziness/stupidity.
As long as it is written in plain english, which is one of the provisions of this bill, there should be no problem. It is not like the person HAS to have this nifty piece of software to live.

Re:Unintended consquences

[lotussuper7]

I wasn't thinking about the RIAA et al when I wrote the initial post. I was thinking along the lines of the way the DMCA is being used by business operations like some cults to harass critics by claiming they own the copyright to even words that are on a page. The law doesn't really give an ISP the chance to apply intelligent judgement, but really forces the ISP to act in a prescribed way that is not very fair. (c.f Section 512(g)(1))

Re:Unintended consquences

The DMCA had no unintended consequences. BAD consequences yes, but not unintended by Congress (no matter what lie they try to tell you).

Re:Unintended consquences

[jZnat]

I guess that makes me glad to know that Firefox allows me to set a minimum font size to display.

First Steps...

[kf6auf]

The problem with first steps (whether it be Congress's legislation or international treaties) is that because it's a first step and getting agreement it hard enough they can't accomplish very much and, yet, after the first step has been taken no one feels the need to take another step. My guess is that this legislation is too weak to accomplish anything and nothing will really be done until it becomes a big enough problem that the politicians can't say that they worked on it and are waiting for it to take effect or some BS like that.

Now if they had only made it part of the DMCA, then we would get some quality legal action going by the **AA and we might actually solve the problem.

Re:First Steps...

[geoffspear]

Insightful? Why would the RIAA/MPAA care if someone's installing spyware on your computer?

This act makes it clear that the Federal Trade Commission is to see spyware as a clear violation on the prohibition against deceptive trade practices. Does just mentioning the DMCA and **AA get you an Insightful mod these days, no matter how far off-topic you are?

Re:God help us

" This is not a troll."
The moderators aparently disagree.

what about m$

[William+Robinson]

"H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices' && H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information."

Does it prevent M$ from collecting info from your PC?

Re:what about m$

[maxwell+demon]

Only if you don't agree. Does the EULA say anything about it?

Re:what about m$

[Timesprout]

MS dont collect personally identifable information. If this is a concern for you then you should be a lot more worried about google.

Re:what about m$

[tero]

No, they become authorized users as soon as you've accepted the EULA(s).

Re:what about m$

Google does not encourage any spyware. If you are referring to personal information submitted *intentionally*, that is offtopic.

Re:what about m$

[userdefined]

From H.R.29 Sec. 2.5.b:
"... preventing reasonable efforts to block the installation or execution of, or to disable, a component of computer software by ... causing such a component that the owner or authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer. "

nevermind the info collection, i want to know if this means that when I replace notepad.exe with one of the many free (as in beer and speech) variants, and then windows changes it back to protect me from 'unwanted' changes, that it'd be illegal? (probably not, since it could be argued that I hadn't 'properly' removed it ... )

Re:what about m$

[mmeister]

you mean I should stop searching for my pr0n using Google?

Re:what about m$

[saur2004]

Then why the F??K did everyone get all ticked off at INTEL for daring to add a unique number to each one of thier processors?

BTW, sorry for sounding like a broken record about the above, but it really ticks me off that M$ doing essentially the same thing in the WPA is now somehow OK.

Protected computers?

[Lihtan]

I have a feeling that the thousands of ignorant users that don't run a firewall or even bother with security updates aren't going to be considered "protected computers". *Sigh*

Re:Protected computers?

[Jurph]

No, "protected" refers to the bill/law, not to any act on the user's part. There are lots of comments on this article that include the text, but you can find it at USC Title 18, Ch. 47, Section 1030 (definition of a "protected computer").

Re:Protected computers?

Downgrade the moderator 2 points. "Insightful" ?? "Protected" means protected by this bill, not by some firewall. The poster was trying to be funny!

I'm no lawyer but...

[ZeroTrace]

US Code Title 18 Section 1030e: (2) the term "protected computer" means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; This doesn't protect anybody but the government... Back to the drawing board I guess.

Re:I'm no lawyer but...

[maxwell+demon]

If you post to slashdot from a computer which is in another state or country, then AFAICS you are doing interstate or foreign communication. The same applies if you exchange email with someone in another state or country. However IANAL.

Re:I'm no lawyer but...

[hhghghghh]

or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; This doesn't protect anybody but the government... Back to the drawing board I guess. The wording is because of States' rights. Congress can pass laws regulating interstate commerce, and some other topics (like defense, international relations, etc.) In practice, if you've ever used your computer to buy something off of e-bay, or to even look at a commercial from out-of-state, it's been used for interstate commerce. And if you haven't, you might. So that means everybody, just nice and constitutional-like.

Re:I'm no lawyer but...

[ScentCone]

This doesn't protect anybody but the government...

Though I'm not sure that's exactly true, the real issue is that if somebody's malware does get onto the desktop of, say, a project manager working at the Agriculture Department, then that publisher's going to wind up in heaps o' trouble regardless. I don't care if they go down because my local sheriff presses the case, or the feds do. They'll go down harder if the feds do it.

Re:I'm no lawyer but...

[Vitriol+Angst]

I was worried about that little weasel word; "protected computer". I was hoping that this congress would have actually done something good(TM), but again, they have been cynical and shifty. If this is only for Government and Financial institutions, it means they are still philosophically opposed to helping anyone not helping their pocket.

I sound like a broken record, don't I. But this is depressing. They could have done something good, and it would have only hurt a few spammers and jerks. Unfortunealy, I am not one of the protected class.

Expect to get MORE spam and trojan horses after this bill--just like the spam bill actually ended up making SPAM OK. I just have to tell them to stop, so they can hit my verified email from a thousand other ip addresses.

Re:I'm no lawyer but...

[tepples]

If this is only for Government and Financial institutions, it means they are still philosophically opposed to helping anyone not helping their pocket.

Well it's not. See (B).

One more law

[Actuator+Man]

What we really need is a law to prevent idiots from using a computer... (or driving a car, buying a gun, voting)

Re:One more law

[skiman1979]

or install a tazer in the mouse to give the user a shock whenever they download the latest smileys, or play those games to "identify which celebrity is Paris Hilton and win $500."

Re:One more law

[gowen]

What we really need is a law to prevent idiots from using a computer... (or driving a car, buying a gun, voting You forgot "getting elected president"

Re:One more law

Srcew you, I resemble that comment.

pdtinzn

Re:One more law

Don't forget the most important one: being voted

Re:One more law

I dunno, in retrospect Carter didn't do that much damage.

Re:One more law

[SammysIsland]

driving a car, buying a gun, voting: don't forget running for president.

But...

[CountBrass]

Is this really something that government should be legislating at all?

It let's both ignorant users (whom I can forgive) but also Microsoft (whom I can't) off the hook. Rather than having to secure their systems/fix fundamental security flaws in their OS and applications they can just hide behind this new law: "It's not our fault we didn't do anything wrong, they broke the law!"

Re:But...

[Dr.Opveter]

The law in my country says people are not supposed to break into my house but that doesn't mean i don't lock the door..

Re:But...

[takeya]

I agree, like it or not, this is not really something the government has been delegated the right to have a say in by the people.

Slashdot is too full of narrow-sighted people who will say the same things I just did about acts like REAL ID, but fail to realize that legislating computer software is also not within their rights. The 10th amendment is always my favorite defense, but nobody really cares about the Bill of Rights anymore and it's sad.

Re:But...

[smchris]

Sounds like you're still in that Reagan era mentality that anything government does is evil (Real ID) and everything business does is good (Spyware). Which Right in the Bill protects spyware? You think it is freedom of speech?

Both Real ID and spyware are invasions of the target's liberty and security.

Re:But...

[dnoyeb]

My mother is not an ignorant user. She is legally blind. I am sick and tired of cleaning this insidious shit off her computer every 2 week. Yes there is firewall, yes I run spy wear cleaners, yes I have anti-virus installed...

She can't see these things that pop up in small corners at times. Or can't be arsed to read them considering how long it would take her away from something thats already going to take her a while to get done.

MS on the other hand should be ashamed of itself. Crap ass browser letting this crap in. Not only that, THERE IS NO WAY TO DELETE these browser plugins, you can only disable them. WTF is that??

MS has been complicit in this mess. I hope this puts some pressure on them to close the holes. (And not offer a new OS as the patch)

Re:But...

[WebCrapper]

I completely agree. My sisters are handycapped and have the same issue with their computers. They'll agree to anything. My mom, thats a different story but she's starting to learn.

Microsoft should be part of this issue. With the ability to add plugins automatically, users should be able to remove those and turn off the autoinstall feature. I doubt this will be in the next release of windows and it sure as hell won't be in any upgrades to IE anytime soon - too much money to gain by having people buy the new OS that lets people actually control their software.

Re:But...

[michrech]

Obviously you have never heard of hijackthis. It should not be used by someone who has no idea what they are doing, but it *does* remove BHO's quite nicely.

Along with Ad-Aware, it is quite effective.

---
Read my Journal

Re:But...

[Wordsmith]

Tell her to stop reading those braille porn sites.

Re:But...

[Winkhorst]

Under this theory of free speech, I have the right to stand over your bed at midnight and give you my opinion on current affairs. I also have a right to privacy, and that includes a bunch of hax0rs breaking into my computer and turning it into a zombie or some moron corporation trying to sell me exactly what I just bought from them. No, free speech does not include the right to be heard.

Re:But...

[Big+Mark]

espescially in safe mode. Only ones it doesn't remove are the truly insidious things that embed themselves into the Windows startup chain, such as that sod that tells the registry to run asdfasdf.exe instead of winlogon.exe.

Re:But...

[override11]

The more you allow yourself to be governed by others, the less you are free. Remember that when we are all bowing to corporations who have completely purchased our government.

Re:But...

"Trust in Allah, but tie up your camel."

Re:But...

[advocate_one]

almost right... Think of the thieves as the spyware makers, Microsoft as the builders of your house, and you as the occupant...

Now my insurance policy requires me to have secure locks on the doors and windows from a list of approved types, the builders of my house actually installed good locks and latches which actually were on the list... now it's up to me to actually use the locks and latches... if I do and thieves still break in, then I'm covered by my insurance, if I failed to secure a door or window and they break in, then my insurers laugh in my face...

My builders, however, are not actually responsible for fitting decent locks to the doors and windows, they could just fit some really cheap and nasty ones that just about do the job, but it makes good business sense for them to do so as it is a selling point...

Microsoft currently, acording to the analogy, install the barest minimum in the way of locks, or else set stupid policies like users are admin by default and the default admin password is blank... It's up to me to make my system secure as ultimately, it's my data at risk... however, it would make good business sense for Microsoft to get their act together and start installing decent security and policies by default... just some clueless users are going to get all uppity about having to remember passwords and change to admin mode to install software...

Now I'm a bit confused as to why Congress have stepped in and outlawed spyware, but then, they probably are performing the same function as the lawmakers who've outlawed thievery and set penalties for it...

Re:But...

[elgaard]

Instead of complaing about MS, you should just use a different OS product. Linux, MacOS, Solaris,...

Re:But...

[tha_mink]

Seriously, that is a horrible analogy. I love Linux but c'mon Linux would suck just a badly and there would be just as much malware if the whole world was using it.

Re:But...

Yes, beacuse that will be SO much easier for his mother to use. For pop-ups, I do however suggest one open source app, Firefox.

Re:But...

I always thought protecting property was generally one of the few areas libertarians considered correct for government intervention. If Malware isn't about causing damage to property, I don't know what is.

Of course, I'm assuming your desire to avoid government intervention comes from libertarianism, not pseudo-libertarianism (liberty only for those being evil - a branch of the current Republican party) or anarchism.

Re:But...

[Dannon]

Takea specifically mentioned the 10th amendment. That is, the part of the Constitution that says that every business not specifically mentioned in the Constitution is up to the States or locals to figure out, and the Feds have no business sticking their schnoz in it. Trespassing isn't something you go to the Feds for, nor is simple theft, etc, etc.

Now my two bits: I see spyware as an act of trespass. My computer is my private property, as much as my house. My computer and my house are both extensions of my person: I've spent an irreplacable portion of my life laboring to acquire them, and investing in them. If you're in my house without my knowledge or permission, you're trespassing. Even if all you do is look around, or harmlessly rearrange the furniture, you're violating my property rights. Ditto for my computer. It doesn't matter how benevolent or malicious you are, if I haven't invited you in, you're trespassing.

The problem as I see it is this: We've got a lot of groups out there, from script kiddies to impersonal mega-corporations, who don't get the idea of respecting the private property rights of individuals. Only government has the power to keep them in check, and even the government doesn't respect our individual ownership rights (eminent domain abuse, drug war laws enabling confiscation without warrant, etc). The past few generations have been learning a whats-yours-is-mine attitude. That's the problem.

Re:But...

[MindStalker]

I was about to mod you troll, but I stopped. The parent didn't even mention Linux, therefor you are trolling by trying to imply that he was saying Linux was better. I noticed you are base +1 so I figured I'd give you the benifit of the doupt.

It really isn't a horrible analogy, there are some bad lock systems in place in Microsofts products. But the worst part is most spyware/junk gets through by the users letting them in.
No product can stop this, just as no security system can stop your from opening the door to a theif (you could have some facial recognition system just like your could have a malicious detection system in your computer, but its overkill as your trying to fix the stupidity of the user).
But it currently is a crime to come to someones house and scam them or force them out of their belongings even if they let your in willingly.

Re:But...

[zenetik]

True, idiot end-users are ultimately at fault. Nonetheless, spyware developers prey upon the weak-minded and computer-illiterate in the same way other criminals do. Spyware is a threat to commerce and costs money to eradicate. Multiply the negative costs in dollars times millions and the problem really adds up. It is therefore in the public interest for the government to step up and protect the idiots -- as well as the rest of us who still get indirect fallout from problems created by the idiots (e.g. slower networks, more restrictions placed on all broadband users because of the idiots, etc). Mostly though, I'm still waiting for Congress to authorize the death penalty for spammers.

Re:But...

The past few generations have been learning a whats-yours-is-mine attitude. That's the problem.

Actually, in response to communism, the exact opposite has occurred. But you already know that.

Re:But...

[orderb13]

I bet they are putting this under the heading of "Inter-state Commerce" so that they can "legally" do it.

Re:But...

It's not a bad analogy, but it isn't quite accurate. Microsoft is the builder of the house, and while the door locks are modestly solid, there are various windows whose glass panes were never installed, resulting in large, gaping holes in the wall.

Re:But...

[Almost-Retired]

Yes, its sad that the original Bill of Rights is so often ignored, at least until the more gross violations get to the Supremes.

Me, I tend to have faith in the 1st and 2nd. If they're honored, then the other 8 will have a long term tendency to fall into line.

Right here and now, I'm exersizing the 1st, my right to make a statement. We have had that for so long now, that attempts to limit it, are, including the recent "campaign finance reform" that took away over 5 million voters rights to say how they felt, will be circumvented, one way or the other.

And my sig indicates my feelings on the 2nd. It appears we are at the Jury stage now, but the relative lack of success there, at least in many of the lower courts where (buyable judges, and/or judges with an agenda) no juries hear the arguments, does make me wonder how long it will be before reaching for the 4th box.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)

Re:But...

[Wile_E_Peyote]

It let's both ignorant users (whom I can forgive) but also Microsoft (whom I can't) off the hook. Rather than having to secure their systems/fix fundamental security flaws in their OS and applications they can just hide behind this new law: "It's not our fault we didn't do anything wrong, they broke the law!"

To hold MS responsible would be like holding a home builder responsible for burglaries.

Re:But...

[Vertdang]

Microsoft Antispy Beta can also remove BHOs. It seems to work quite nicely. It even has information on each one and what it's used for, so people can make an educated choice on what to keep and what to delete.

Re:But...

[elgaard]

>Yes, beacuse that will be SO much easier for his mother to use

Yes it will. Linux works for my mother. I am sure MacOs is easy too, but his mother would have to get a new computer.

Re:But...

[Dannon]

They always do, don't they? As if breaking into my computer and spying on me qualified as "commerce". Commerce is when there's a voluntary exchange of goods and services. Calling this trespass "commerce" is an insult to honest business everywhere.

Re:But...

[confused.brit]

spywareguard also prevents BHO's.

www.javacoolsoftware.com

just a pity the liveupdater is broken

Re:But...

[lowsinon]

You can't be serious... Any application that exploits a security flaw should be illegal (With the exception of your own or authorized, as stated in the bill). MS may have flawed software, but taking advantage of a flaw, for personal gain is down right evil. This legislation brings to light the fact that there are corporations out there(mainly marketing) that essentially, yet passively, hack people's systems. This is already illegal. If they were not to legislate this, then at least expand the scope of the definitions of hacking, viruses, and the like. The new vulnerabilities that are found regularly(IN ALL PLATFORMS AND BROWSERS) it shows that MS(still being evil) is not that bad guy on this one. The bad guys are spending millions on researching how to make there "spyware" hard to detect and difficult to remove. I know most of you hate MS but you can't ignore these things. STOP THE BAD GUYS(and let the evil be)

Re:But...

[dnoyeb]

Shes already blind. She would have to learn _how_ to use linux. And no console either. Plus we would need a screen reader package. i have investigated and see that there is an available screen reader but I have not tested it.

If I choose Linux I effectively become the developer and have to learn every single package and help her to use them. I just got no time... While there are packages we have found that work on windows, and that took several years too.

What about non-US spyware?

[skiman1979]

What about spyware coming from non-US systems? US law does not govern these systems. What happens then if I get hit with spyware from some other country?

Re:What about non-US spyware?

[surprise_audit]

What happens then if I get hit with spyware from some other country?

Write to your congressman. He'll forward your letter to a collating department at the Dept of Homeland Security. The first country/state/banana republic to score a stack 1 inch high (or 1000 complaints, whichever occurs first) wins a free WMD inspection courtesy of Dubya. Use really thick paper for quick results...

Re:What about non-US spyware?

What about spyware coming from non-US systems

lol, next you will be telling us that 90% of spammers are based outside the US....oh wait

Re:What about non-US spyware?

Why do people assume that being outside the US protects you from the US court system? If your actions are such that they have effects within the US, there is a very good chance that jurisdiction will be upheld. (There's more to it than that, but that gives you an idea.)

Otherwise, GM would just move completely overseas and ship product in. That way they could be immune from lawsuits for products liability.

Re:What about non-US spyware?

[QMO]

It's relatively easy to enforce an embargo on illegal automobiles.
It is basically impossible to enforce any kind of embargo on spam.

Re:What about non-US spyware?

[SmurfButcher+Bob]

Oh, c'mon. This is the U.S. for chrissakes, and G.W. is president. If your computer gets invaded from some other country...

Re:What about non-US spyware?

Wow. Some fucking ignorant moderator got out of bed the wrong side this morning...

Re:What about non-US spyware?

[skiman1979]

yes, the WMD inspections will then commence... on a side note, I did notice some attempts from someone in Taiwan trying to get into my system the other day...

Code

Code copied on to the computer... Is binary counted as code or does this only outlaw Free-software & Open-Source spyware?

Re:Code

[maxwell+demon]

Why shouldn't machine code be code? Or byte code?

However there's another fuzzy border: Where does code end and pure data begin? E.g. if I set a cookie at a browser, then it causes the browser to send the cookie back to me every time someone accesses my web server. Now, is the cookie code (because it actually triggers an action), or is it just data (because it doesn't actually have commands, it's just a name/value pair, and it's the browser which does the sending anyway).

This line is fuzzy because for interpreted languages you could as well say the commands are just data, and it's only the interpreter which actually performs certain actions based on the data.

I for one wouldn't be unhappy if that law also covered tracking cookies from advertisers.

Unenforceable and pointless

Note also that it's unenforceable because of its use of the phrases protected computer and protected system.

Since any system on which spyware has managed to get itself installed is clearly unprotected against it, the new legislation cannot be relevant. This makes the law only applicable to computers and systems on which spyware has failed to gain entry, but where the attempt was detected and then leads to prosecution. But since there was no harm suffered, there can be no compensation either, and therefore only lawyers can ever benefit from this through their fees.

In other words, it's a totally pointless law, unless you're a lawyer.

Re:Unenforceable and pointless

[Lil-Bondy]

i think by the term 'protected' it means something more like has anti-spyware, yet the spyware still passes this, or something like that, otherwise, im becoming a lawyer

Re:Unenforceable and pointless

[Tim+C]

"Protected" is not a synonym of "impervious".

Re:Unenforceable and pointless

[Secret+Agent+X23]

I'm pretty sure the word "protected," in this context, refers to computers that are covered by the legal protection defined in the bill. It has no technical significance at all.

Re:Unenforceable and pointless

That would make the Access Control Mechanisms part of the DMCA unenforcable too, given once an ACM has been compromised, it's no longer "effective" (one of the qualifiers used in the bill.)

In practice the law in both that case and this means something else. The wording describes the intent. If you create a computer where you haven't made any effort whatsoever to protect processes from one another and have even, deliberately, created APIs to allow programs to install that are automatically downloaded, then you have an insecure system. If you've made an effort, as Microsoft has, to prevent this, then it's a secure system. It doesn't matter that Microsoft's efforts are far from perfect, what matters is that the system is intended to be secure, a person writing for it knows that when they write things that download and install automatically, they're doing something that was never intended, and they know someone who bought the computer did so knowing the machine is intended to only run the software the purchaser deliberately installs.

So yes, the wording's fine. Geeks may not like it, but this is a legal document not a technical specification.

lawful at home?

[tille]

"unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices." So if I am at home, working on my own computer which is behind my firewall, I can send out all the spyware I want? Something wrong with the wording here...

phoning home allowed, "discretely"

[Joseph_Daniel_Zukige]

See section 5, limitations.

Oh, sorry, that was HR29 "discretely"

[Joseph_Daniel_Zukige]

and what i want to know is the meaning of HR744, section 2.c.

Re:God help us

[OneDeeTenTee]

" This is not a troll."
The moderators aparently disagree.

Just because they're on crack doesn't mean they can't be right every once in a while.

Thank God

This will end spyware forever. What would we do without congress?

The only rational response to legislation like this should be peals of derisive laughter.

Re:God help us

" Just because they're on crack doesn't mean they can't be right every once in a while."

So of like John Dvorak then.

Mod parent up!

[Joseph_Daniel_Zukige]

The less government tries to do for us, the more we do for ourselves, the more free (not as in beer) we are.

Re:Mod parent up!

[Mother+Sha+Boo+Boo]

If you don't want your government doing anything for you, why would you you want a government for?

Re:Mod parent up!

[eUdudx]

Perhaps this argument is Off-topic, but in reply to Mother Sha Boo Bo, to the extent that government exists, my earlier comment was intended to be terse and perhaps humorous in making the point that you sometimes actually do get (a bit) of your money's worth. I just see it so seldom I wanted to hold out hope. no ranting here, don't care about the mod-down

Spyware? How about spam proxies

[Underholdning]

Great! This would effectively outlaw spam, since most spam is sent through compromised windows boxes acting as proxies.
Oh wait... it only applies to computers used by the United States Government according to tfa...

Wiretapping

[jwdb]

How does this affect government observation programs (you know, carnivore et al...)? Does this force them to get a warrant in all cases to certify that they really are 'authorized users'?

Jw

Re:Wiretapping

[BCW2]

If enforced creatively it means spyware is really an illeagle wiretap, like most of us thought all along. After all it really is electronic monitering of one actions/communications without a court order. If DA's would have done it this way a few years ago no new law would be needed. Of course Congresscritters don't get press when someone enforces an existing law, just when they write a new one, even if it is un-nessesary and un-enforceable(this one, Can-Spam). Got to get some press, election is only 18 months away.

Has any politician ever met a camera or microphone they didn't love?

Re:Wiretapping

[JFMulder]

You don't get it. Carnivore doesn't exists, so it's a non-issue. *wink wink*

Re:Wiretapping

I haven't read the bill, but these things almost always have an exemption for law enforcement.

Great except for one little detail

[syntap]

unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices

I guess this means my deceptive aliases on slashdot and every other potential spammer Web site can now land me in jail, assuming slashdot is a "protected system". I guess I'm an "authorized user" of /. but the definition of an "authorized user" will be interesting.

Re:Great except for one little detail

RTFA, or even RTFComments. This act makes it unlawful for anyone to compromise Government systems, unless, apparently, they're authorised to use such systems. Means nothing for everyone else.

Re:Great except for one little detail

Bullshit. The legislation says nothing about gov-only computers, and in fact assigns the Federal Trade Commission as the enforcement agency.

Interesting choice for a sunsetted law

[syntap]

Usually there is public interest in sunsetting bills that are polarizing so they must be re-authorized later, like the USA PATRIOT Act. But this bill sunsets December 31, 2010. You'd think by then that stronger regulations will be needed to fix all the loopholes this one creates, but look out for spyware set to report all you personal stuff back to home base on Jan 1 2011!

Re:Interesting choice for a sunsetted law

[jZnat]

In that case, I'd suggest that they sunset the bill on 19 Jan 2038 instead.

I'm with you!

[StarCharter]

As soon as it's illegal, all the perps will stop. All of the drug laws prety well stopped local pushers and I feel SO much safer now that terrorism is against the law.

spamme

jose.prueba@red.es

Seriously, though... Net effect = 0!

[octaene]

Does anyone, even in Congress, seriously believe that this will change anything at all? I seem to remember that CAN-SPAM was just so effective in reducing the number of spam messages I get each and every day...

I really don't get it. These kinds of bills are only passed so that during Representative Knumbskull's re-election campaign, he can state that he 'helped protect Americans from evil computer programs that attack their privacy'. What a waste of our taxpayer dollars!!!

Great!

[rogerzilla]

Let's hope it's as successful as the YOU-CAN-SPAM Act. That really showed those Nigerians and Chinese (not to mention the big American spammers) who was boss, didn't it?

Yeah, right.

[shreevatsa]

now all spyware companies is gonna outsource to india instead?
Yes of course. Because the law says that if the spyware has been developed in India instead of the US, it's perfectly legal for it to install itself, right?
I know you're always looking for an opportunity to whine about outsourcing, but try to keep it on topic. Whether or not the spyware companies outsource to India does not affect these Spyware Bills in any way; so your post is just offtopic.

Re:Yeah, right.

[dwpro]

Actually, it doesn't seem that far off base, from my perspective. If other countries do not have similar laws they will likely be unaffected by this legislation, and spyware companies will simply move off US soil. Since india has a large pool of employable tech people, it seems plausible that they would move there.

Even though India is not the only place offshore the jobs could move to, I think you had a knee jerk reaction to his post.

Re:Yeah, right.

[shreevatsa]

I understand what you are saying, but there's a slight difference here.
If a spyware company itself moves off US soil, then what you say is perfectly right. Not being a US company, it would possibly not be subject to the same legislation.
On the other hand, what he said was " now all spyware companies is gonna outsource to india instead?", referring to a US-based company outsourcing the development of its spyware to some cybercoolies in India or anywhere else. In this case, the company would continue to be affected by the legislation, irrespective of where the actual development of the spyware programs occurred.

Re:Yeah, right.

[dwpro]

It is likely that the original poster was thinking the way you mentioned. One can view it from the perspective that the US-based companies are the ones purchasing the data from the spyware companies, "outsourcing" the data strip-mining to non-US based companies.

The "outsourcing" buzzword was probably not necessary. Either way, jobs are moving overseas and US programmers are out of (very immoral and shady) jobs.

Re:Yeah, right.

So, you mean companies aren't outsourcing to Canada to avoid the DNC list?

Wow, news to me.

trusted computing

heopfully itll make palladium/trusted computing illegal too. unless they deem authorized from the trusted computing routine's opinion. making it illegal for you to use it the way trusted computing doenst want you to.

I hope this is carefully written...

[ericbrow]

So does this mean I can't enter bogus information to access a site or download so I can avoid spam? If I don't own the site's servers, and I enter a bogus e-mail just to download a whitepaper, then that would be deceptive. I feel like such a criminal. I wish these people would get their tech gurus to help them write this stuff.

Earthlink

... is going to do away with spyware. I saw it on tv it must be true.

email addresses as code

[hadaso]

Some time ago I suggested in another forum that email addresses can contain small scripts as handling instructions for the receiving server (such as for authentication, for filing, for expiry dates etc.) Now this law makes it illegal to send spam to these kinds of addresses. Make your email address something that can be considered "code" and this bill covers them because sending email to tsuch an address is actually causing code to be executed on your computer!

Product Activation

[datadriven]

Does product activation/registration count as spyware under the bill? They're sending my personal information somewhere else.

This does not apply in the states!!

Don't you peepholes get it yet?

The feds only have jurisdiction within their area or over their "subjects" (Slaves).

So they can write all the stupid laws they want, but as long as you are not their property anymore they can't tell you what to do.

So get rid of your Federal Serial Number (SSN), it's socialism anyway and you are a real American, First Class right?

You don't want to be a Second Class Citizen / Subject owned by the government, right?

Too hard to do? Well then let those bastards keep running your life and sit there clueless as to what is going on.

How about cookies??

[scovetta]

...prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information.

Could a shared cookie be considered spyware? (I visit foo.com, which has an image on evil.com that places an evil.com cookie on my machine. Then I visit bar.com, which also has an image on evil.com. Evil.com shares this information between foo and bar. $Profit$

Re:How about cookies??

[hedora]

The first bill mentioned above requires an official investigation into cookies, and their similarity/relationship to spyware. Depending on the result of the investigation, the bill says that it may be applied to "tracking cookies" in the future.

deceptive?

'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'.
I don't own a computer, and now congress says I can't lie to my girlfriend?

I-SPY and other such acts

[potpie]

Anyone else notice that politicians these days always make their acts spell out cute little words or phrases with their acronyms (PATRIOT, I-SPY, etc.)?

Well I'm going to become a politician and write up the OMGWTFBBQ act.

Re:I-SPY and other such acts

[The+Desert+Palooka]

That's USA PATRIOT Act to you... haha...

Re:I-SPY and other such acts

Obviously Meaninglessly Grouping Words To Feebly Boost Bill Quality Act?

Vague.

[Bloater]

How does it define "protected computer" and "protected system"?

It could be completely toothless. Do you have to spend $10,000 per year on IT security services before your computer is considered secure. And is an unpatched system considered "not protected"?

What if it was paid code?

"H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information"

Will this cover code you have paid for? Like IIS, for example?

Also prohibits sueing spyware users?

[mnemotronic]

Prohibits any person from bringing a civil action under State law premised upon the defendant's violating this Act.

If I read that correctly, I can't sue someone who installs spyware on my pc or tries to phish me. But I don't understand the "under State law" clause, so maybe I could still sue under federal law? Does this limit my recourse to breaking the guy's kneecaps?

So...

H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'.

So to paraphrase that: Only the owner or authorized user of the computer is allowed to engage in deceptive acts or practices.

Nice of them to spell that out for us.

Why Bother?

[sqlrob]

There's already laws against unauthorized computer access, just enforce them.

Yet another unenforced law doesn't do any good.

File under stupid laws.

[g0bshiTe]

Ok this is yet another example of wasted tax dollars deliberating something that is obviously never going to be enforced.

"Wahoo, the Senate made it illegal for Spyware companies to install it on my system, wait a tick. If I install a trojan on someones system why is that a stiffer penalty than spyware? Both are installed without the users consent to track movements, wreak havok, both could be used for malicious purposes."

I can see this already, spyware will still be produced en masse, the people who deploy it will simply move somewhere not governed by US law. New law circumvented, tax money wasted, spyware still rampant.

Re:File under stupid laws.

It still might be enforced, just not against spyware as we currently know it. When DMCA passed, who would have guessed that it would have been used by Lexmark to sue people who made compatible ink cartridges?

Why?

[Chanc_Gorkon]

Why was this bill even necessary? It will only stop those who are trying to use spyware as a supposed business model(HEllloooo Claria...). Did this really need another law? This is yet another case of our representatives not understanding technology and not understanding that with a world wide system, it's impossible to enforce.

Useless? 'protected computer'?

[E+IS+mC(Square)]

>>any person who is not the owner or authorized user of a protected computer

So, Joe Sixpack is not yet covered by this just because he does not know how to run a firewall - i.e. his is not a protected computer.

Typical BS.

Re:Useless? 'protected computer'?

[Jurph]

No, as usual, Joe Slashdot has utterly failed to do any research. From U.S. Code Title 18, Chapter 47, Section 1030, which this bill amends:

(2) the term ``protected computer'' means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

So this bill applies to any computer in the United States which communicates with any computer not in the same state (reserving that power for the legislatures of the states). It even covers your computer, as long as your comments here can be broadly interpreted as "communicating". Yeah, I know -- it's a stretch.

Re:Useless? 'protected computer'?

Right. So by this definition, all Joe (sixpacks and slashdot) are guarnteed a cover, eh?

Re:Seriously, though... Net effect = 0!

[fearofcarpet]

Does anyone, even in Congress, seriously believe that this will change anything at all? I seem to remember that CAN-SPAM was just so effective in reducing the number of spam messages I get each and every day... I really don't get it. These kinds of bills are only passed so that during Representative Knumbskull's re-election campaign, he can state that he 'helped protect Americans from evil computer programs that attack their privacy'. What a waste of our taxpayer dollars!!!

How dare you imply that our congress would use meanlingless legislation as nothing more than a tool to leverage votes during their next re-election campaign! This congress has a proud tradition of meaningful laws that benefit everyone, like the Schiavo Measure or important legislation that protects us from the dangers of stem cell research.

Not enough

That's great. Now, what about the malicious material that comes from foreign sources?

This will do little to curb the problem, and I do not believe that legislation is the proper course to take.

Not enough

[cpuenvy]

That's great. Now, what about the malicious material that comes from foreign sources?

This will do little to curb the problem, and I do not believe that legislation is the proper course to take.

Be careful what you wish for

[Halvard]

First let me say IANAL. I've been around them my whole life but that doesn't mean I am one. I have been told by some that I think like them though.

I don't think this quite protects like people seem to think it does.

I interpret Section 2a2D of the SPY Act to say it's okay to change security settings without the knowledge of the protected parties as long as you don't seek to do damage. Imagine a defensive claim that a change to weaken security settings is to make the computer easier to use and less confusing. Prove they had a different motive. That could be tough. No question that changing a settings of allowing ActiveX controls to always run makes it easier for a website targeting ActiveX capable browsers to run whatever they want "for the purpose" of serving their users and it's "easier" for their "customers" to use the site because then they don't have to bother with or know about changing browser security settings.

Additionally, has any one read Title 18,1030? This bill references another which goes to Title 18. Title 18,1030 reads:

(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term "protected computer" means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

That *might* protect you buying something on eBay but I read that to mean it doesn't protect you regarding, for example, online banking necessarily. Phishing seems to prohibited in the SPY Act but I think this needs more analysis. I think the Act protects companies like Microsoft and others (Symantec?) that are using DRM and the like. A number of companies (*cough* Real Networks *cough*) get caught not infrequently sending off more information than they claim that they do; they apologize and do it again. So say they "encrypt" it in pig Latin because they aren't supposed to any longer. Now because you've decrypted it (as any American Kindergardener can do), you've now violated God knows how many other acts.

I'm not trying to say the sky is falling. These Acts could be a good start. But anyone who thinks this is the cure is a fool. Don't forget CAN-SPAM legitimized spam while being (mis-?)represented as outlawing it.

Unfortunately...

[Craig+Ringer]

They've built your house with a fancy, and entirely unnecessary, house automation and remote control system. The locks are wired into this, and you discover that replacing the locks with secure ones disables the lights and interior doors.

Ever tried running Windows under "Restricted User"? I did. Even with mostly reputable, well behaved apps it's a PITA. Introduce a user who needs the odd browser plug-in and small custom software vendor tool, and you're screwed. Almostnt nothings sets correct registry permissions, and few things even bother setting up file permissions properly. It's a nightmare.

Re:Unfortunately...

[Woody77]

MS really screwed up the security model for this. Anything that needs to be accessed as a named object (blocks of shared memory, named pipes, etc.) requires that you very carefully prefix the names with the right token so that it knows how to deal with it.

And they changed this mid service pack, IIRC. And it's different on Win2K, WinXP, WinXP Home, Win2k3Server, and if you're running terminal services (fast user switching) or instead are part of a domain (or worse, both).

A developer I used to work with basically had to sit down with about 300 pages of documentation from MS to figure out how it all worked. And then our app took forever to get back to working the way it was meant to (with the various pieces uses queues in shared memory).

The APIs for proper registry and file permissions are overly complicated, when what you want to do is just have the OS "do the right thing".

What do they mean by a "protected" computer

[pentalive]

Is my desktop computer "protected"? or do I have to run something like Palledium before it's "protected"?

so..

[andrewweb]

all we need are some volunteers to set up a few unpatched machines, surf to a few sites and pick up all the crap of the day (without agreeing to anything that actually asks of course) and then file suit.

Who's game for some of that? Could be good fun - if the law actually has any teeth that is...

What is really needed is more general privacy

[jonwil]

Ignoring the fact that the spyware makers could just go offshore and avoid this, what is really needed is a new bill giving americans more privacy for personal details across the board. (not just for spyware)

For example, if collects personal details they should be required to tell you that they have those details.
And allow you to change those details if they are wrong.
And if they give those details to another company (e.g. credit agency, firm that is going to use the details to send you marketing crap etc etc) they should be required to tell you about that too.

Spyware companies would be required to notify you in advance what personal details their software collects (if any) and what is done with those details.

The problem with this proposal is that it would cost the big corporations money to implement. But more to the point it would prevent the corps from hiding what is going on (for example, I occasionally get letters from American Express asking if I want an American Express card even though I have never had any dealings with American Express in my life which means that some other company I deal with such as my bank must have given American Express my postal address and stuff)

Really, the 5 biggest problems with spyware are:
1.Spyware takes various levels of personal details and sends it to some company (with you not knowing what those details are or what is being done with them)
2.Spyware installs without it being clear that it is installing
3.Spyware messes with system files and settings
4.Spyware takes up memory/system resources (and often internet bandwidth to download ads etc)
and 5.Spyware is almost always impossible to remove without tools like ad-aware, MS anti-spyware or Spybot.

Re:What is really needed is more general privacy

[mls]

The problem with this proposal is that it would cost the big corporations money to implement.

More importantly, the problem with this proposal is that it would cost SMALL organizations money and time to implement.

There are plenty of legitimate reasons why companies big and small transmit data.

For example, your church wants to send a mailing to all its members. It sends its mailing list to a print shop to address all the mail pieces. The print shop sends the addresses to a National Change of Address vendor to make sure they have the most recent address for you since your last move. Should all the churches across America who have little to none software experience be forced to implement extra levels of notification when you gave them the information to begin with?

As for credit card info, if you have ever read the document that passes for a privacy policy for most credit cards, they generally state that they can share information with 3rd party marketing agencies. If they give you the option to opt out, it usually isn't until after you have an account with them, and they have already extracted your information and sold it. But again, you gave it to them in the first place.

wrong again.

[Jurph]

No no no!

Come on, read TFA, and then read the law. A "protected computer" is any computer used for interstate commerce or communication as defined in Title 18 USC, Ch. 47, section 1030.

WRONG.

[Jurph]

It's not "vague" at all. The law amends Title 18 USC, Chapter 47, Section 1030. A "protected computer" refers to the effectivity of the law (your computer is "protected" by law) not by any particular user action.

A computer is "protected" if it is used for interstate or international commerce or communication. If you don't live in Michigan and you post on Slashdot, that's you.

Re:WRONG.

[Bloater]

I asked how it defines a protected computer. How can a question be wrong?

The slashdot article was vague.

Re:WRONG.

Your question was wrong because it failed to include a clause about Jurph being an asshole that likes to jump down people's throats without provocation. Here's how you should have phrased it:

Keeping in mind that some assholes hate people to ask questions, how does the bill define "protected computer" and "protected system" and does this protection even extend to motherfucking assholes who don't deserve it due to being such antisocial motherfuckers?

I hope you have learned your lesson and will not be asking any "stupid" questions (questions that don't acknowledge that there are many assholes around here) in the future.

HTH

So what about the Patriot Act?

Does this prohibit gov assholes from installing or using the keystrokers or sniffers on our PCs? Oops... I hear Tom DeLay calling me a communist from his bedroom...
Bye

That way we'll be sure that what they say is true

[crovira]

If it could cost you your life, you'd be alot more careful shen you open your mouth. :)

Priorities People!

[QCompson]

Now that Congress has tackled the most serious problem facing our nation today, namely spyware (because without legislation it's simply impossible to keep it off our PCs), perhaps it can pay attention to less dire issues, such as skyrocketing health-care costs.

Or wait, before they get to health-care, they should probably take a few more stabs at eliminating spam, because it's just so annoying to delete those extra few emails everyday.

The good news

[compuguy84]

Hopefully this contains a rider revoking the REAL ID law. I love this country!

Some of you seem to be reading this wrong

[jetnet]

Okay, it's saying anyone who is not the owner or authorized user of a protected computer can not do those things. So in other words, unless you own a protected comptuer, you can not create or send out spyware. Some of the replys seem to think that it is only protecting the "protected computers". What it is saying is that people who work for the government, banks, or foreign or interstate commerce and communication, are not held to thise act. So bankers, and the government can create spyware. But there is another loophole.

"a computer exclusively for the use of a financial institution or the U.S. Government," (notice this comma right there)" or a computer used in INTERSTATE or foreign commerce OR COMMUNICATION"

So many "or"'s. A computer used in interstate or foreign commerce OR communications. How many people here do not live in Texas, where I am from? Most of you? Well, that makes MY computer an interstate communcations device... Guess that means I can create spyware...

protected=FINANCIAL or US Government Only

Section 1030(e) of title 18, United States Code defines a "Protected Computer"

(e) As used in this section -
(1) the term ''computer'' means an electronic, magnetic,
optical, electrochemical, or other high speed data processing
device performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility
directly related to or operating in conjunction with such device,
but such term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other similar
device;

(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the
United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects that use by or for the
financial institution or the Government; or
(B) which is used in interstate or foreign commerce or
communication;

MS Home sales pitch

[Aumaden]

Let's drop in on an MS House sale in progress:

Luser: Hey, what's this hole in the side of my house?

MS: That's our new invention! We call it a "door way". It lets you enter and leave your house!

Luser: And lets anyone walk right in and nick my telly!

MS: (smiling) Not to fear! We care about your security! That's why we offer MS House Professional! When you upgrade to MS House Pro, you get a device that closes the hol..., er, "door way", and protects your stuff! We call it... the "Door"! Juse close the "Door" and your MS House Pro is safe and secure!

Luser: That sounds all well and good, but what happens if someone walks up and opens my "Door"?

MS: <blink><blink>

Re:MS Home sales pitch

[Hentai]

Luser: That sounds all well and good, but what happens if someone walks up and opens my "Door"?

MS:

Linux: Don't buy a house from this man! You need a secure entry and exit system! Our house plans are completely free, and there are plenty of liscensed contractors that can build one for you at a very reasonable price! Plus, it doesn't come with a door unless you ask for one - which, incidentally, I wouldn't! Thieves can get in, after all.

Luser: So... how do I get in?

Linux: We have two cannon-powered one-way pneumatic chutes, which are synchronized and studded with sensors so that only authorized objects and people sprayed with this special reflective paint can get in! And you have to know which chute is which, or you get blown to smithereens! Plus, the whole house uses the same chute system for everything - heating, cooling, garbage disposal - and the entire surface is studded with spinning, rotating blades!

Luser: But... my kids! What if they -

Linux: You'll get used to it! It comes with these notes scribbled directly by the designers of the chute! And there's even free plans for adding a doorknob and a doorbell to the chute iris, so you can make it feel just like their "doors", but with the added security of spinning, rotating blades!

Luser: But I...

Apple: Our doors come with locks on them. And you get real-marble floors and an indoor heated swimming pool!

Luser: oooooh...

Apple: That'll be $3,999,999.95 please.

I'm Really Friggin' Jaded

[Rob+Riggs]

When I read House Passes Spyware Bills the first question that popped into mind was "OK, how many will we be required to install"?

First Spyware next . . .

And how long will it take for them to use these new laws to classify P2P networks as unauthorized access to a Personal Computer and make it illegal too.

Phew! Relief, just like the 1800's

[ShimmyShimmy]

This is perfect! It'll be just as effective as the Interstate Commerce Act was to prevent short-haul railroads from charging unreasonable prices! I wonder if there's any phrase more general and less effective than "deceptive arts and practices."

Unintended consequences

[cyways]

There are some interesting tidbits in H.R. 29 (I haven't read the other yet). For instance, the law is designed to exempt things like web server logs with the following:

"(2) EXCEPTION FOR SOFTWARE COLLECTING INFORMATION REGARDING WEB PAGES VISITED WITHIN A PARTICULAR WEB SITE- Computer software that otherwise would be considered an information collection program by reason of paragraph (1)(B) shall not be considered such a program if--

(A) the only information collected by the software regarding Web pages that are accessed using the computer is information regarding Web pages within a particular Web site;"

Does this mean that web server software can no longer collect a referer log, since that information doesn't pertain to "Web pages within a particular Web site" but to some third-party site? What about things like the browser's identification string? The remote user's IP address? How about GET URLs that include a session identifier? Can they be logged? How about a GET URL that includes an email address is the parameter string?

Now lets consider the consent provisions in 3(c) for a moment. Although the legislation is obviously targeted at what we'd all call spyware, the definition of an "information collection program" in 3(b)(1) clearly includes web forms:

"...the term `information collection program' means computer software that ...
(i) collects personally identifiable information; and
(ii)(I) sends such information to a person other than the owner or authorized user of the computer, or
(II) uses such information to deliver advertising to, or display advertising on, the computer."

Now, of course, reason would suggest that if someone fills out a form online they have consented to the collection of the information. However the provisions in 3(c) indicate that the person must be informed by a notice that such information is being collected, that this notice is "clearly distinguishe[d] ... from any other information visually presented contemporaneously on the computer," and that consent to the notice must be obtained. Strict compliance with this provision seems to require that I add something like a pop-up dialog box to every web form reminding people that their information is being collected and requesting their consent before proceeding.

I may sound nit-picky here, but these are exactly the types of problems that arise when well-intentioned but not technically-savvy legislators try to write laws to about technologically-complex issues. I actually think that, in general, this law is fairly well drafted, but reading the legislation as a site designer immediately raised these questions.

I do not think this word means what you think...

FTFB: "unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices." I do not think this word "any" means what you think it means. To me, "any person" means "any of the > 6bil people on Earth or elsewhere." To them, it means "anyone who is not a law enforcement officer with a warrant, or anyone who is not an agent of the US government acting for 'national security' purposes". But those are the only people I really am concerned about as far as spyware. All the other spyware can be blocked without too much difficulty.

I love it, it's like the Department of Homeland "Security" getting bills to protect its own privacy (keeping records out of the public, etc) while at the same time trying to get access to all of ours.

I'm ready for the Ministry of Love and the Ministry of Truth!

Actually, it's unnecessary and absurd

[Roadkills-R-Us]

Such behavior is illegal under at least trespassing and theft of services laws. Had the courts merely shown common sense and run over the first miscreants with a large truck, a lot less of it would be going on.

So then

[denissmith]

H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'.

I own my own computer, so I am allowed to engage in deceptive acts or practices?

This means nothing to most people

[mark-t]

Note the term "protected computer".

And as it happens, that term already has a legal definition in the US Code.

Thus, this only impacts computers used for interstate or foreign commerce, or by the US government.

Re:What about government sanctioned spyware?

[quarkscat]

The only problem I have with this anti-spyware legislation is that it does nothing to prevent either offshore based spyware OR USA government sanctioned spyware.

The current regime in power has gone out of its way to characterize "terrorism" in the broadest possible definition, to include such things as copyright violations and DMCA violations. Trading partners of the USA have been coerced into passing legislation that brings them into compliance with American law. But protecting the sanctity of citizens' privacy rights is not that this regime is about. Not only is this regime looking for re-establishing sunset clauses in the USA Patriot Act (I), but are also looking to expand the government's right to violate citizen privacy with a new and improved USA Patriot Act (II). This regime has given itself the legal power to violate any number of international treaties, including the ABM Treaty, Geneva Conventions, and Militarization of Space. Between government authored spyware (Carnivore plus whatever is now current), and the forced collaboration of commercial software vendors (Microsoft?) to add/maintain hidden backdoors, the average "internet joe" has no chance to preserve individual privacy. Between TIA, TIPPS, MATRIX, whatever comes next (with USA Patriot Act (II), and the wide swath of private/commercial databases holding private information, individual privacy is dead in the USA. Recent demands made by the current regime in power, through the DHS, has required that all foreign governments with commercial aircraft that pass through USA airspace also furnish extensive passenger information. Do not expect spyware to go away with this legislation -- it will only eliminate private competition to this regime's ambitions.

Re:Unintended consquences (j/k)

[SPY_jmr1]

if you're not the legal one, you must be the IL-LEGAL one!!

Burn 'um!!!!

A few observations

[deblau]

First, all the comments about 18 U.S.C. 1030. Your home computer is a "protected computer" since you buy things with it online. That pulls it under the interstate commerce clause, and the power of Congress to regulate it.

Second, the first bill, H.R. 29, doesn't provide for a private cause of action. It says it's enforced by the FTC. Which means you can't sue under this bill (if it becomes law).

Third, the second bill allows for an (implied) private cause of action: No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section. It doesn't say you can't bring a criminal action under state law, so you may not be required to file in federal court.

My sense of the bills is that the first goes after companies who make and bundle spyware, while the second goes after extortionists, phishers, virus writers and the like.

Microsoft Is Out Of Business!

[Master+of+Transhuman]

H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'.

Ignorant users

That would be YOU, buddy. "It let's both ignorant users"

Why not go whole hog with your abuse of the apostrophe and say "It let's both ignorant user's?"

Also, I don't see where MS is on the hook to begin with. Their sales don't seem to be taking much of a hit from disgusted users switching to another OS.

Keyword: Authorized User

[GuyverDH]

EULA: By clicking this, you hereby grant said software vendor fully authorized user status.

Nuff said...

guess i'll have to get a real job...

[ShineyMcShine]

now that all my customers pc's will be squeaky clean...

What do these bills *do*?

[hedora]

I only skimmed the legislation, but other than mentioning "spyware" a lot, I don't see the point of it. It has been illegal to break into computer systems since at least the 80s, regardless of whether you use a technical or social engineering attack.

Similarly, stealing personal information is illegal (or should be, regardless of whether spyware is involved!). The class of social engineering attacks, such as phishing that these bills outlaw, seem to me (IANAL) to be the same thing as the old con artist schemes that were illegal long before the internet.

Has anyone found the section of the legislation that actually makes it illegal to do something that used to be legal? What am I missing?

FINANCIAL is as simple as PayPal

[tepples]

(2) the term ''protected computer'' means a computer -
(A) [...] or
(B) which is used in interstate or foreign commerce or communication;

Any computer supporting common Internet protocols, such as TCP/IP, HTTP, and HTML, is capable of interstate communication. Add HTTPS, and you get capability for online shopping, a form of interstate commerce. So from the moment that the owner of a typical home computer visits ebay.com using that computer, it "is used in interstate or foreign commerce or communication."

Follow the money

[tepples]

It is basically impossible to enforce any kind of embargo on spam.

Follow the money. A company sending bulk e-mail has to advertise a product or service for sale. A company that advertises a product through spam could lose its license to do business.

The real plus of this Law

[cybrangl]

Despite the many loopholes, like out of country spyware etc. the law would give antispyware makers a clear definition on what is spyware and what is not. While I don't expect to see many, if any spyware makers put in jail, I do see this as a defense for the antispyware industry when they wipe out Gator-like programs.

Speaking of ignorant ...

It let's both ignorant users

"lets".

unproductive government good!

[Joseph_Daniel_Zukige]

One mostly unproductive government in place is worth several hundred do-gooders trying to break the door down.

If that doesn't parse, the product of a too-productive government is digit rights management legislation, mandatory wireless ID cards and passports, laws against encryption the government can't break, anti-monopoly trials that let the monopoly move ahead, ...

The product of a government that knows when not to produce is to get in the way of the people that want productive government and to stand out of the way of people who want to work in the open.