Slashdot Mirror
House Passes Spyware Bills
stinerman writes "Today the house passed two bills aimed at stopping spyware / adware and unauthorized use of computers. H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'. H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information. Both bills sailed through the house and are expected to be passed by the Senate."
There'll be no more spyware by Christmas, let me tell you.
What about spyware that asks permission before it installs, like Gator and all that. Is that sorta thing covered in this?
Anonymous Coward
This is a great step, if only in spirit.
When the spammers and spyware makers start getting fined and sent to jail I think we'll have something to crow about.
Until then, it's just a feelgood law.
http://www.eweek.com/article2/0,1759,1788844,00.as p
According to this article, leading anti-spyware vendors are working with the nonprofit Center for Democracy and Technology to develop guidelines for defining spyware.
When the very definition of spyware is hanging in balance, I dont see how they can strictly enforce the law.
My 2c.
I wouldn't be surprised that if you allowed one piece of spyware to be installed, it would be automatically assumed that you want more spyware installed. It's like getting married to one person and finding out that all the in-laws are moving into your new place with you.
Well, I'm not the legal wizard, but the first thing I thought about was will these bills have unintended consequences like the DMCA?
I'm sure that Congress-critters didn't intend companies using the DMCA as an agressive legal weapon it has become.
What twists will these bill's be given to turn them into tools for the harassment of honest people?
----- Lotus Super 7 - A real car.
The problem with first steps (whether it be Congress's legislation or international treaties) is that because it's a first step and getting agreement it hard enough they can't accomplish very much and, yet, after the first step has been taken no one feels the need to take another step. My guess is that this legislation is too weak to accomplish anything and nothing will really be done until it becomes a big enough problem that the politicians can't say that they worked on it and are waiting for it to take effect or some BS like that.
Now if they had only made it part of the DMCA, then we would get some quality legal action going by the **AA and we might actually solve the problem.
Does it prevent M$ from collecting info from your PC?
hilarious
I have a feeling that the thousands of ignorant users that don't run a firewall or even bother with security updates aren't going to be considered "protected computers". *Sigh*
Divide by zero hurts my brain.
US Code Title 18 Section 1030e: (2) the term "protected computer" means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; This doesn't protect anybody but the government... Back to the drawing board I guess.
What we really need is a law to prevent idiots from using a computer... (or driving a car, buying a gun, voting)
Is this really something that government should be legislating at all?
It let's both ignorant users (whom I can forgive) but also Microsoft (whom I can't) off the hook. Rather than having to secure their systems/fix fundamental security flaws in their OS and applications they can just hide behind this new law: "It's not our fault we didn't do anything wrong, they broke the law!"
Bad analogies are like waxing a monkey with a rainbow.
What about spyware coming from non-US systems? US law does not govern these systems. What happens then if I get hit with spyware from some other country?
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
Why shouldn't machine code be code? Or byte code?
However there's another fuzzy border: Where does code end and pure data begin? E.g. if I set a cookie at a browser, then it causes the browser to send the cookie back to me every time someone accesses my web server. Now, is the cookie code (because it actually triggers an action), or is it just data (because it doesn't actually have commands, it's just a name/value pair, and it's the browser which does the sending anyway).
This line is fuzzy because for interpreted languages you could as well say the commands are just data, and it's only the interpreter which actually performs certain actions based on the data.
I for one wouldn't be unhappy if that law also covered tracking cookies from advertisers.
The Tao of math: The numbers you can count are not the real numbers.
The less government tries to do for us, the more we do for ourselves, the more free (not as in beer) we are.
How does this affect government observation programs (you know, carnivore et al...)? Does this force them to get a warrant in all cases to certify that they really are 'authorized users'?
Jw
unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices
/. but the definition of an "authorized user" will be interesting.
I guess this means my deceptive aliases on slashdot and every other potential spammer Web site can now land me in jail, assuming slashdot is a "protected system". I guess I'm an "authorized user" of
Usually there is public interest in sunsetting bills that are polarizing so they must be re-authorized later, like the USA PATRIOT Act. But this bill sunsets December 31, 2010. You'd think by then that stronger regulations will be needed to fix all the loopholes this one creates, but look out for spyware set to report all you personal stuff back to home base on Jan 1 2011!
Let's hope it's as successful as the YOU-CAN-SPAM Act. That really showed those Nigerians and Chinese (not to mention the big American spammers) who was boss, didn't it?
So does this mean I can't enter bogus information to access a site or download so I can avoid spam? If I don't own the site's servers, and I enter a bogus e-mail just to download a whitepaper, then that would be deceptive. I feel like such a criminal. I wish these people would get their tech gurus to help them write this stuff.
I'm pretty sure the word "protected," in this context, refers to computers that are covered by the legal protection defined in the bill. It has no technical significance at all.
Anyone else notice that politicians these days always make their acts spell out cute little words or phrases with their acronyms (PATRIOT, I-SPY, etc.)?
Well I'm going to become a politician and write up the OMGWTFBBQ act.
Esoteric reference.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
There's already laws against unauthorized computer access, just enforce them.
Yet another unenforced law doesn't do any good.
Ok this is yet another example of wasted tax dollars deliberating something that is obviously never going to be enforced.
"Wahoo, the Senate made it illegal for Spyware companies to install it on my system, wait a tick. If I install a trojan on someones system why is that a stiffer penalty than spyware? Both are installed without the users consent to track movements, wreak havok, both could be used for malicious purposes."
I can see this already, spyware will still be produced en masse, the people who deploy it will simply move somewhere not governed by US law. New law circumvented, tax money wasted, spyware still rampant.
I am Bennett Haselton! I am Bennett Haselton!
Why was this bill even necessary? It will only stop those who are trying to use spyware as a supposed business model(HEllloooo Claria...). Did this really need another law? This is yet another case of our representatives not understanding technology and not understanding that with a world wide system, it's impossible to enforce.
Gorkman
First let me say IANAL. I've been around them my whole life but that doesn't mean I am one. I have been told by some that I think like them though.
I don't think this quite protects like people seem to think it does.
I interpret Section 2a2D of the SPY Act to say it's okay to change security settings without the knowledge of the protected parties as long as you don't seek to do damage. Imagine a defensive claim that a change to weaken security settings is to make the computer easier to use and less confusing. Prove they had a different motive. That could be tough. No question that changing a settings of allowing ActiveX controls to always run makes it easier for a website targeting ActiveX capable browsers to run whatever they want "for the purpose" of serving their users and it's "easier" for their "customers" to use the site because then they don't have to bother with or know about changing browser security settings.
Additionally, has any one read Title 18,1030? This bill references another which goes to Title 18. Title 18,1030 reads:
(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term "protected computer" means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
That *might* protect you buying something on eBay but I read that to mean it doesn't protect you regarding, for example, online banking necessarily. Phishing seems to prohibited in the SPY Act but I think this needs more analysis. I think the Act protects companies like Microsoft and others (Symantec?) that are using DRM and the like. A number of companies (*cough* Real Networks *cough*) get caught not infrequently sending off more information than they claim that they do; they apologize and do it again. So say they "encrypt" it in pig Latin because they aren't supposed to any longer. Now because you've decrypted it (as any American Kindergardener can do), you've now violated God knows how many other acts.
I'm not trying to say the sky is falling. These Acts could be a good start. But anyone who thinks this is the cure is a fool. Don't forget CAN-SPAM legitimized spam while being (mis-?)represented as outlawing it.
So this bill applies to any computer in the United States which communicates with any computer not in the same state (reserving that power for the legislatures of the states). It even covers your computer, as long as your comments here can be broadly interpreted as "communicating". Yeah, I know -- it's a stretch.
Ignoring the fact that the spyware makers could just go offshore and avoid this, what is really needed is a new bill giving americans more privacy for personal details across the board. (not just for spyware)
For example, if collects personal details they should be required to tell you that they have those details.
And allow you to change those details if they are wrong.
And if they give those details to another company (e.g. credit agency, firm that is going to use the details to send you marketing crap etc etc) they should be required to tell you about that too.
Spyware companies would be required to notify you in advance what personal details their software collects (if any) and what is done with those details.
The problem with this proposal is that it would cost the big corporations money to implement. But more to the point it would prevent the corps from hiding what is going on (for example, I occasionally get letters from American Express asking if I want an American Express card even though I have never had any dealings with American Express in my life which means that some other company I deal with such as my bank must have given American Express my postal address and stuff)
Really, the 5 biggest problems with spyware are:
1.Spyware takes various levels of personal details and sends it to some company (with you not knowing what those details are or what is being done with them)
2.Spyware installs without it being clear that it is installing
3.Spyware messes with system files and settings
4.Spyware takes up memory/system resources (and often internet bandwidth to download ads etc)
and 5.Spyware is almost always impossible to remove without tools like ad-aware, MS anti-spyware or Spybot.
It's not "vague" at all. The law amends Title 18 USC, Chapter 47, Section 1030. A "protected computer" refers to the effectivity of the law (your computer is "protected" by law) not by any particular user action.
A computer is "protected" if it is used for interstate or international commerce or communication. If you don't live in Michigan and you post on Slashdot, that's you.
When I read House Passes Spyware Bills the first question that popped into mind was "OK, how many will we be required to install"?
the growth in cynicism and rebellion has not been without cause
There are some interesting tidbits in H.R. 29 (I haven't read the other yet). For instance, the law is designed to exempt things like web server logs with the following:
...
... from any other information visually presented contemporaneously on the computer," and that consent to the notice must be obtained. Strict compliance with this provision seems to require that I add something like a pop-up dialog box to every web form reminding people that their information is being collected and requesting their consent before proceeding.
"(2) EXCEPTION FOR SOFTWARE COLLECTING INFORMATION REGARDING WEB PAGES VISITED WITHIN A PARTICULAR WEB SITE- Computer software that otherwise would be considered an information collection program by reason of paragraph (1)(B) shall not be considered such a program if--
(A) the only information collected by the software regarding Web pages that are accessed using the computer is information regarding Web pages within a particular Web site;"
Does this mean that web server software can no longer collect a referer log, since that information doesn't pertain to "Web pages within a particular Web site" but to some third-party site? What about things like the browser's identification string? The remote user's IP address? How about GET URLs that include a session identifier? Can they be logged? How about a GET URL that includes an email address is the parameter string?
Now lets consider the consent provisions in 3(c) for a moment. Although the legislation is obviously targeted at what we'd all call spyware, the definition of an "information collection program" in 3(b)(1) clearly includes web forms:
"...the term `information collection program' means computer software that
(i) collects personally identifiable information; and
(ii)(I) sends such information to a person other than the owner or authorized user of the computer, or
(II) uses such information to deliver advertising to, or display advertising on, the computer."
Now, of course, reason would suggest that if someone fills out a form online they have consented to the collection of the information. However the provisions in 3(c) indicate that the person must be informed by a notice that such information is being collected, that this notice is "clearly distinguishe[d]
I may sound nit-picky here, but these are exactly the types of problems that arise when well-intentioned but not technically-savvy legislators try to write laws to about technologically-complex issues. I actually think that, in general, this law is fairly well drafted, but reading the legislation as a site designer immediately raised these questions.
The only problem I have with this anti-spyware legislation is that it does nothing to prevent either offshore based spyware OR USA government sanctioned spyware.
The current regime in power has gone out of its way to characterize "terrorism" in the broadest possible definition, to include such things as copyright violations and DMCA violations. Trading partners of the USA have been coerced into passing legislation that brings them into compliance with American law. But protecting the sanctity of citizens' privacy rights is not that this regime is about. Not only is this regime looking for re-establishing sunset clauses in the USA Patriot Act (I), but are also looking to expand the government's right to violate citizen privacy with a new and improved USA Patriot Act (II). This regime has given itself the legal power to violate any number of international treaties, including the ABM Treaty, Geneva Conventions, and Militarization of Space. Between government authored spyware (Carnivore plus whatever is now current), and the forced collaboration of commercial software vendors (Microsoft?) to add/maintain hidden backdoors, the average "internet joe" has no chance to preserve individual privacy. Between TIA, TIPPS, MATRIX, whatever comes next (with USA Patriot Act (II), and the wide swath of private/commercial databases holding private information, individual privacy is dead in the USA. Recent demands made by the current regime in power, through the DHS, has required that all foreign governments with commercial aircraft that pass through USA airspace also furnish extensive passenger information. Do not expect spyware to go away with this legislation -- it will only eliminate private competition to this regime's ambitions.
Second, the first bill, H.R. 29, doesn't provide for a private cause of action. It says it's enforced by the FTC. Which means you can't sue under this bill (if it becomes law).
Third, the second bill allows for an (implied) private cause of action: No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section. It doesn't say you can't bring a criminal action under state law, so you may not be required to file in federal court.
My sense of the bills is that the first goes after companies who make and bundle spyware, while the second goes after extortionists, phishers, virus writers and the like.
This post expresses my opinion, not that of my employer. And yes, IAAL.
I only skimmed the legislation, but other than mentioning "spyware" a lot, I don't see the point of it. It has been illegal to break into computer systems since at least the 80s, regardless of whether you use a technical or social engineering attack.
Similarly, stealing personal information is illegal (or should be, regardless of whether spyware is involved!). The class of social engineering attacks, such as phishing that these bills outlaw, seem to me (IANAL) to be the same thing as the old con artist schemes that were illegal long before the internet.
Has anyone found the section of the legislation that actually makes it illegal to do something that used to be legal? What am I missing?