Slashdot Mirror
House Passes Spyware Bills
stinerman writes "Today the house passed two bills aimed at stopping spyware / adware and unauthorized use of computers. H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'. H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information. Both bills sailed through the house and are expected to be passed by the Senate."
What about spyware that asks permission before it installs, like Gator and all that. Is that sorta thing covered in this?
Anonymous Coward
This is a great step, if only in spirit.
When the spammers and spyware makers start getting fined and sent to jail I think we'll have something to crow about.
Until then, it's just a feelgood law.
Well, I'm not the legal wizard, but the first thing I thought about was will these bills have unintended consequences like the DMCA?
I'm sure that Congress-critters didn't intend companies using the DMCA as an agressive legal weapon it has become.
What twists will these bill's be given to turn them into tools for the harassment of honest people?
----- Lotus Super 7 - A real car.
Does it prevent M$ from collecting info from your PC?
hilarious
What about spyware coming from non-US systems? US law does not govern these systems. What happens then if I get hit with spyware from some other country?
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
Why shouldn't machine code be code? Or byte code?
However there's another fuzzy border: Where does code end and pure data begin? E.g. if I set a cookie at a browser, then it causes the browser to send the cookie back to me every time someone accesses my web server. Now, is the cookie code (because it actually triggers an action), or is it just data (because it doesn't actually have commands, it's just a name/value pair, and it's the browser which does the sending anyway).
This line is fuzzy because for interpreted languages you could as well say the commands are just data, and it's only the interpreter which actually performs certain actions based on the data.
I for one wouldn't be unhappy if that law also covered tracking cookies from advertisers.
The Tao of math: The numbers you can count are not the real numbers.
I agree, like it or not, this is not really something the government has been delegated the right to have a say in by the people.
Slashdot is too full of narrow-sighted people who will say the same things I just did about acts like REAL ID, but fail to realize that legislating computer software is also not within their rights. The 10th amendment is always my favorite defense, but nobody really cares about the Bill of Rights anymore and it's sad.
How does this affect government observation programs (you know, carnivore et al...)? Does this force them to get a warrant in all cases to certify that they really are 'authorized users'?
Jw
Usually there is public interest in sunsetting bills that are polarizing so they must be re-authorized later, like the USA PATRIOT Act. But this bill sunsets December 31, 2010. You'd think by then that stronger regulations will be needed to fix all the loopholes this one creates, but look out for spyware set to report all you personal stuff back to home base on Jan 1 2011!
So does this mean I can't enter bogus information to access a site or download so I can avoid spam? If I don't own the site's servers, and I enter a bogus e-mail just to download a whitepaper, then that would be deceptive. I feel like such a criminal. I wish these people would get their tech gurus to help them write this stuff.
Why was this bill even necessary? It will only stop those who are trying to use spyware as a supposed business model(HEllloooo Claria...). Did this really need another law? This is yet another case of our representatives not understanding technology and not understanding that with a world wide system, it's impossible to enforce.
Gorkman
There are some interesting tidbits in H.R. 29 (I haven't read the other yet). For instance, the law is designed to exempt things like web server logs with the following:
...
... from any other information visually presented contemporaneously on the computer," and that consent to the notice must be obtained. Strict compliance with this provision seems to require that I add something like a pop-up dialog box to every web form reminding people that their information is being collected and requesting their consent before proceeding.
"(2) EXCEPTION FOR SOFTWARE COLLECTING INFORMATION REGARDING WEB PAGES VISITED WITHIN A PARTICULAR WEB SITE- Computer software that otherwise would be considered an information collection program by reason of paragraph (1)(B) shall not be considered such a program if--
(A) the only information collected by the software regarding Web pages that are accessed using the computer is information regarding Web pages within a particular Web site;"
Does this mean that web server software can no longer collect a referer log, since that information doesn't pertain to "Web pages within a particular Web site" but to some third-party site? What about things like the browser's identification string? The remote user's IP address? How about GET URLs that include a session identifier? Can they be logged? How about a GET URL that includes an email address is the parameter string?
Now lets consider the consent provisions in 3(c) for a moment. Although the legislation is obviously targeted at what we'd all call spyware, the definition of an "information collection program" in 3(b)(1) clearly includes web forms:
"...the term `information collection program' means computer software that
(i) collects personally identifiable information; and
(ii)(I) sends such information to a person other than the owner or authorized user of the computer, or
(II) uses such information to deliver advertising to, or display advertising on, the computer."
Now, of course, reason would suggest that if someone fills out a form online they have consented to the collection of the information. However the provisions in 3(c) indicate that the person must be informed by a notice that such information is being collected, that this notice is "clearly distinguishe[d]
I may sound nit-picky here, but these are exactly the types of problems that arise when well-intentioned but not technically-savvy legislators try to write laws to about technologically-complex issues. I actually think that, in general, this law is fairly well drafted, but reading the legislation as a site designer immediately raised these questions.
The only problem I have with this anti-spyware legislation is that it does nothing to prevent either offshore based spyware OR USA government sanctioned spyware.
The current regime in power has gone out of its way to characterize "terrorism" in the broadest possible definition, to include such things as copyright violations and DMCA violations. Trading partners of the USA have been coerced into passing legislation that brings them into compliance with American law. But protecting the sanctity of citizens' privacy rights is not that this regime is about. Not only is this regime looking for re-establishing sunset clauses in the USA Patriot Act (I), but are also looking to expand the government's right to violate citizen privacy with a new and improved USA Patriot Act (II). This regime has given itself the legal power to violate any number of international treaties, including the ABM Treaty, Geneva Conventions, and Militarization of Space. Between government authored spyware (Carnivore plus whatever is now current), and the forced collaboration of commercial software vendors (Microsoft?) to add/maintain hidden backdoors, the average "internet joe" has no chance to preserve individual privacy. Between TIA, TIPPS, MATRIX, whatever comes next (with USA Patriot Act (II), and the wide swath of private/commercial databases holding private information, individual privacy is dead in the USA. Recent demands made by the current regime in power, through the DHS, has required that all foreign governments with commercial aircraft that pass through USA airspace also furnish extensive passenger information. Do not expect spyware to go away with this legislation -- it will only eliminate private competition to this regime's ambitions.
Second, the first bill, H.R. 29, doesn't provide for a private cause of action. It says it's enforced by the FTC. Which means you can't sue under this bill (if it becomes law).
Third, the second bill allows for an (implied) private cause of action: No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section. It doesn't say you can't bring a criminal action under state law, so you may not be required to file in federal court.
My sense of the bills is that the first goes after companies who make and bundle spyware, while the second goes after extortionists, phishers, virus writers and the like.
This post expresses my opinion, not that of my employer. And yes, IAAL.
I only skimmed the legislation, but other than mentioning "spyware" a lot, I don't see the point of it. It has been illegal to break into computer systems since at least the 80s, regardless of whether you use a technical or social engineering attack.
Similarly, stealing personal information is illegal (or should be, regardless of whether spyware is involved!). The class of social engineering attacks, such as phishing that these bills outlaw, seem to me (IANAL) to be the same thing as the old con artist schemes that were illegal long before the internet.
Has anyone found the section of the legislation that actually makes it illegal to do something that used to be legal? What am I missing?