Slashdot Mirror
House Passes Spyware Bills
stinerman writes "Today the house passed two bills aimed at stopping spyware / adware and unauthorized use of computers. H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'. H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information. Both bills sailed through the house and are expected to be passed by the Senate."
There'll be no more spyware by Christmas, let me tell you.
What about spyware that asks permission before it installs, like Gator and all that. Is that sorta thing covered in this?
Anonymous Coward
This is a great step, if only in spirit.
When the spammers and spyware makers start getting fined and sent to jail I think we'll have something to crow about.
Until then, it's just a feelgood law.
http://www.eweek.com/article2/0,1759,1788844,00.as p
According to this article, leading anti-spyware vendors are working with the nonprofit Center for Democracy and Technology to develop guidelines for defining spyware.
When the very definition of spyware is hanging in balance, I dont see how they can strictly enforce the law.
My 2c.
I wouldn't be surprised that if you allowed one piece of spyware to be installed, it would be automatically assumed that you want more spyware installed. It's like getting married to one person and finding out that all the in-laws are moving into your new place with you.
Well, I'm not the legal wizard, but the first thing I thought about was will these bills have unintended consequences like the DMCA?
I'm sure that Congress-critters didn't intend companies using the DMCA as an agressive legal weapon it has become.
What twists will these bill's be given to turn them into tools for the harassment of honest people?
----- Lotus Super 7 - A real car.
The problem with first steps (whether it be Congress's legislation or international treaties) is that because it's a first step and getting agreement it hard enough they can't accomplish very much and, yet, after the first step has been taken no one feels the need to take another step. My guess is that this legislation is too weak to accomplish anything and nothing will really be done until it becomes a big enough problem that the politicians can't say that they worked on it and are waiting for it to take effect or some BS like that.
Now if they had only made it part of the DMCA, then we would get some quality legal action going by the **AA and we might actually solve the problem.
Does it prevent M$ from collecting info from your PC?
hilarious
US Code Title 18 Section 1030e: (2) the term "protected computer" means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; This doesn't protect anybody but the government... Back to the drawing board I guess.
What we really need is a law to prevent idiots from using a computer... (or driving a car, buying a gun, voting)
Is this really something that government should be legislating at all?
It let's both ignorant users (whom I can forgive) but also Microsoft (whom I can't) off the hook. Rather than having to secure their systems/fix fundamental security flaws in their OS and applications they can just hide behind this new law: "It's not our fault we didn't do anything wrong, they broke the law!"
Bad analogies are like waxing a monkey with a rainbow.
What about spyware coming from non-US systems? US law does not govern these systems. What happens then if I get hit with spyware from some other country?
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
How does this affect government observation programs (you know, carnivore et al...)? Does this force them to get a warrant in all cases to certify that they really are 'authorized users'?
Jw
Let's hope it's as successful as the YOU-CAN-SPAM Act. That really showed those Nigerians and Chinese (not to mention the big American spammers) who was boss, didn't it?
Anyone else notice that politicians these days always make their acts spell out cute little words or phrases with their acronyms (PATRIOT, I-SPY, etc.)?
Well I'm going to become a politician and write up the OMGWTFBBQ act.
Esoteric reference.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
There's already laws against unauthorized computer access, just enforce them.
Yet another unenforced law doesn't do any good.
First let me say IANAL. I've been around them my whole life but that doesn't mean I am one. I have been told by some that I think like them though.
I don't think this quite protects like people seem to think it does.
I interpret Section 2a2D of the SPY Act to say it's okay to change security settings without the knowledge of the protected parties as long as you don't seek to do damage. Imagine a defensive claim that a change to weaken security settings is to make the computer easier to use and less confusing. Prove they had a different motive. That could be tough. No question that changing a settings of allowing ActiveX controls to always run makes it easier for a website targeting ActiveX capable browsers to run whatever they want "for the purpose" of serving their users and it's "easier" for their "customers" to use the site because then they don't have to bother with or know about changing browser security settings.
Additionally, has any one read Title 18,1030? This bill references another which goes to Title 18. Title 18,1030 reads:
(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term "protected computer" means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
That *might* protect you buying something on eBay but I read that to mean it doesn't protect you regarding, for example, online banking necessarily. Phishing seems to prohibited in the SPY Act but I think this needs more analysis. I think the Act protects companies like Microsoft and others (Symantec?) that are using DRM and the like. A number of companies (*cough* Real Networks *cough*) get caught not infrequently sending off more information than they claim that they do; they apologize and do it again. So say they "encrypt" it in pig Latin because they aren't supposed to any longer. Now because you've decrypted it (as any American Kindergardener can do), you've now violated God knows how many other acts.
I'm not trying to say the sky is falling. These Acts could be a good start. But anyone who thinks this is the cure is a fool. Don't forget CAN-SPAM legitimized spam while being (mis-?)represented as outlawing it.
So this bill applies to any computer in the United States which communicates with any computer not in the same state (reserving that power for the legislatures of the states). It even covers your computer, as long as your comments here can be broadly interpreted as "communicating". Yeah, I know -- it's a stretch.
Ignoring the fact that the spyware makers could just go offshore and avoid this, what is really needed is a new bill giving americans more privacy for personal details across the board. (not just for spyware)
For example, if collects personal details they should be required to tell you that they have those details.
And allow you to change those details if they are wrong.
And if they give those details to another company (e.g. credit agency, firm that is going to use the details to send you marketing crap etc etc) they should be required to tell you about that too.
Spyware companies would be required to notify you in advance what personal details their software collects (if any) and what is done with those details.
The problem with this proposal is that it would cost the big corporations money to implement. But more to the point it would prevent the corps from hiding what is going on (for example, I occasionally get letters from American Express asking if I want an American Express card even though I have never had any dealings with American Express in my life which means that some other company I deal with such as my bank must have given American Express my postal address and stuff)
Really, the 5 biggest problems with spyware are:
1.Spyware takes various levels of personal details and sends it to some company (with you not knowing what those details are or what is being done with them)
2.Spyware installs without it being clear that it is installing
3.Spyware messes with system files and settings
4.Spyware takes up memory/system resources (and often internet bandwidth to download ads etc)
and 5.Spyware is almost always impossible to remove without tools like ad-aware, MS anti-spyware or Spybot.
Second, the first bill, H.R. 29, doesn't provide for a private cause of action. It says it's enforced by the FTC. Which means you can't sue under this bill (if it becomes law).
Third, the second bill allows for an (implied) private cause of action: No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section. It doesn't say you can't bring a criminal action under state law, so you may not be required to file in federal court.
My sense of the bills is that the first goes after companies who make and bundle spyware, while the second goes after extortionists, phishers, virus writers and the like.
This post expresses my opinion, not that of my employer. And yes, IAAL.