Slashdot Mirror
House Passes Spyware Bills
stinerman writes "Today the house passed two bills aimed at stopping spyware / adware and unauthorized use of computers. H.R. 29 makes it 'unlawful for any person who is not the owner or authorized user of a protected computer to engage in deceptive acts or practices'. H.R. 744 (I-SPY Act) prohibits accessing a protected system via code copied on to the system to, among other things, disseminate personal information. Both bills sailed through the house and are expected to be passed by the Senate."
There'll be no more spyware by Christmas, let me tell you.
What about spyware that asks permission before it installs, like Gator and all that. Is that sorta thing covered in this?
Anonymous Coward
This is a great step, if only in spirit.
When the spammers and spyware makers start getting fined and sent to jail I think we'll have something to crow about.
Until then, it's just a feelgood law.
http://www.eweek.com/article2/0,1759,1788844,00.as p
According to this article, leading anti-spyware vendors are working with the nonprofit Center for Democracy and Technology to develop guidelines for defining spyware.
When the very definition of spyware is hanging in balance, I dont see how they can strictly enforce the law.
My 2c.
Well, I'm not the legal wizard, but the first thing I thought about was will these bills have unintended consequences like the DMCA?
I'm sure that Congress-critters didn't intend companies using the DMCA as an agressive legal weapon it has become.
What twists will these bill's be given to turn them into tools for the harassment of honest people?
----- Lotus Super 7 - A real car.
US Code Title 18 Section 1030e: (2) the term "protected computer" means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; This doesn't protect anybody but the government... Back to the drawing board I guess.
What about spyware coming from non-US systems? US law does not govern these systems. What happens then if I get hit with spyware from some other country?
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
I agree, like it or not, this is not really something the government has been delegated the right to have a say in by the people.
Slashdot is too full of narrow-sighted people who will say the same things I just did about acts like REAL ID, but fail to realize that legislating computer software is also not within their rights. The 10th amendment is always my favorite defense, but nobody really cares about the Bill of Rights anymore and it's sad.
How does this affect government observation programs (you know, carnivore et al...)? Does this force them to get a warrant in all cases to certify that they really are 'authorized users'?
Jw
Let's hope it's as successful as the YOU-CAN-SPAM Act. That really showed those Nigerians and Chinese (not to mention the big American spammers) who was boss, didn't it?
Anyone else notice that politicians these days always make their acts spell out cute little words or phrases with their acronyms (PATRIOT, I-SPY, etc.)?
Well I'm going to become a politician and write up the OMGWTFBBQ act.
Esoteric reference.
There's already laws against unauthorized computer access, just enforce them.
Yet another unenforced law doesn't do any good.
First let me say IANAL. I've been around them my whole life but that doesn't mean I am one. I have been told by some that I think like them though.
I don't think this quite protects like people seem to think it does.
I interpret Section 2a2D of the SPY Act to say it's okay to change security settings without the knowledge of the protected parties as long as you don't seek to do damage. Imagine a defensive claim that a change to weaken security settings is to make the computer easier to use and less confusing. Prove they had a different motive. That could be tough. No question that changing a settings of allowing ActiveX controls to always run makes it easier for a website targeting ActiveX capable browsers to run whatever they want "for the purpose" of serving their users and it's "easier" for their "customers" to use the site because then they don't have to bother with or know about changing browser security settings.
Additionally, has any one read Title 18,1030? This bill references another which goes to Title 18. Title 18,1030 reads:
(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term "protected computer" means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
That *might* protect you buying something on eBay but I read that to mean it doesn't protect you regarding, for example, online banking necessarily. Phishing seems to prohibited in the SPY Act but I think this needs more analysis. I think the Act protects companies like Microsoft and others (Symantec?) that are using DRM and the like. A number of companies (*cough* Real Networks *cough*) get caught not infrequently sending off more information than they claim that they do; they apologize and do it again. So say they "encrypt" it in pig Latin because they aren't supposed to any longer. Now because you've decrypted it (as any American Kindergardener can do), you've now violated God knows how many other acts.
I'm not trying to say the sky is falling. These Acts could be a good start. But anyone who thinks this is the cure is a fool. Don't forget CAN-SPAM legitimized spam while being (mis-?)represented as outlawing it.
So this bill applies to any computer in the United States which communicates with any computer not in the same state (reserving that power for the legislatures of the states). It even covers your computer, as long as your comments here can be broadly interpreted as "communicating". Yeah, I know -- it's a stretch.
Ignoring the fact that the spyware makers could just go offshore and avoid this, what is really needed is a new bill giving americans more privacy for personal details across the board. (not just for spyware)
For example, if collects personal details they should be required to tell you that they have those details.
And allow you to change those details if they are wrong.
And if they give those details to another company (e.g. credit agency, firm that is going to use the details to send you marketing crap etc etc) they should be required to tell you about that too.
Spyware companies would be required to notify you in advance what personal details their software collects (if any) and what is done with those details.
The problem with this proposal is that it would cost the big corporations money to implement. But more to the point it would prevent the corps from hiding what is going on (for example, I occasionally get letters from American Express asking if I want an American Express card even though I have never had any dealings with American Express in my life which means that some other company I deal with such as my bank must have given American Express my postal address and stuff)
Really, the 5 biggest problems with spyware are:
1.Spyware takes various levels of personal details and sends it to some company (with you not knowing what those details are or what is being done with them)
2.Spyware installs without it being clear that it is installing
3.Spyware messes with system files and settings
4.Spyware takes up memory/system resources (and often internet bandwidth to download ads etc)
and 5.Spyware is almost always impossible to remove without tools like ad-aware, MS anti-spyware or Spybot.
Second, the first bill, H.R. 29, doesn't provide for a private cause of action. It says it's enforced by the FTC. Which means you can't sue under this bill (if it becomes law).
Third, the second bill allows for an (implied) private cause of action: No person may bring a civil action under the law of any State if such action is premised in whole or in part upon the defendant's violating this section. It doesn't say you can't bring a criminal action under state law, so you may not be required to file in federal court.
My sense of the bills is that the first goes after companies who make and bundle spyware, while the second goes after extortionists, phishers, virus writers and the like.
This post expresses my opinion, not that of my employer. And yes, IAAL.