Spy Act of 2007 = "Vendors Can Spy Act"

strick1226 writes "Ed Foster over at InfoWorld describes the Spy Act bill (H.R. 964) as having the same relation to the prevention of spyware that the CAN SPAM Act had to the prevention of spam. It allows exceptions for companies to utilize spyware for any number of reasons; if this bill had been law when Sony distributed their rootkit, they would have had perfect cover. Most troubling is that the bill would preempt all state laws, including those more focused on the privacy of people's data, and disallow individuals from bringing suit. It is expected to pass soon with 'strong bipartisan support.'"

Legal, not moral

[Potor]

if this bill had been law when Sony distributed their rootkit, they would have had perfect cover.

but the protest would have been the same - it was more of a moral outrage than a legal outrage.

Re:Legal, not moral

[csmacd]

Yes, organizations that distribute spyware care.

>sarcasm off

When organizations have the legal cover to do junk like this, they will. No amount of moral outrage is going to stop them, unless they monitor and report some random elected official's illegal activities.

Re:Legal, not moral

[PopeRatzo]

Moral outrage is not going to protect consumers. In the name of commerce, free markets and the consolidation of capital, we are losing every bit of privacy, security, integrity, dignity.

I think of the report in today's news about the collapse of the housing market. We're seeing a coming depression that is unique in that it will only affect the middle class. I reflect on the anger and aggression with which my credit card company deals with me and my wife just because we pay our bill in full every month. Our banker is shocked because we have paid our mortgage and aren't interested in refinancing our home "to pay bills, take a vacation. Living within our means, not participating in the orgy of consumerism makes us the enemy of those that would see us become indentured.

Tonight I heard a news article about the lenders who give student loans. They learned that there's more money to be made from having those loans go into default than to have the borrower repay, so they actually discourage repayment. Loan payment checks "get lost" so that late fees and penalties can be levied. The Department of Education knew about the crooked practices in student loans since 1998, but with the end of the Clinton administration and the emergence of the Republican majority in Congress in 2000, the problem was ignored. Foreclosures are at an all-time high.

They want to make us the consumables. Is it worth having a 42" plasma TV if you lose your soul?

Re:Legal, not moral

[TechnicalFool]

As far as I'm aware, organisations always have had the legal cover (if just barely) to distribute spyware, as long as they say it's being installed in the EULA. If not, CoolWebSearch et all would have been sued out of business a long while ago. According to the article, and if I read it correctly, this seems to be more about giving large companies the legal arse-covering required to hack into your computer "just to check" if you've got, say, a dodgy copy of Autodesk Inventor.

What I'd be interested in is how this and other such spyware could be subverted, possibly with some false (and FOSS, naturally) piece of software that sends ridiculous junk to the remote servers. Sort of an anti-spyware, if you will. The best analogy I can think of off-hand would be programs like the fake SubSeven servers, that as I recall made your computer pretend to be infected with the SubSeven trojan. If you got someone connecting, you could give them a false directory tree, or press a button to blast their computer with a gazillion windows in their SubSeven client.

I think maybe a little hacktivism is called for, although naturally I would not advocate breaking any laws in the process! Oh no, sir!

Re:Legal, not moral

[cbiltcliffe]

They do have good understanding of wallet vote, though.

Yes. Unfortunately, consumers don't.

Re:Legal, not moral

[TheVelvetFlamebait]

I have a theory: Slashdotters' opinions are often not at all representative of the majority, so consequently, they often believe that the system, designed to benefit the majority, is completely broken because nothing they want ever happens. This situation is a good example. People who make the parent's case usually believe at least one of these two things:

a) The wants of consumers do not filter through to these corporations, and that boycotting will make no difference, or
b) These consumers don't actually know what they want, that they are blinded by corporate advertising saying they are happy when they really aren't, and that they (the person making the argument) know what these people want more than they themselves do.

It is a fact that most (if not all) corporations exist solely for the purpose of making money, and if you starve them of that, they will sit up and notice. I don't subscribe to the idea that I know what is best for other people, or that other people don't know what they want. If they want no rootkits, then they will think about it. If they don't know what a rootkit is, they probably won't notice or care. If you can't get a significant enough movement up and running (it's not like you don't have the communication equipment to set up an international boycott) then you may just have to accept that people don't care about the same things as you, and that you will have to just avoid the offending products.

Re:Legal, not moral

[osgeek]

I would agree with your general premise that /.ers have a skewed perspective and don't tend to realize how it explains a lot of their disconnect with what happens in reality.

But since we're talking about technology issues, isn't the perspective of a bunch of "smarter than your average bear" (yes, I cringed when I typed that, but it's true) geeks more relevant than joe six pack's?

What if this were a medical discussion board that tended to attract medical professionals, and we were here discussing a health issue? We would rant and rail at how the general population just doesn't understand nutrition guidelines and FDA rulings... "WHY? How could the voters and politicians let the FDA sit in the back pocket of big pharma by letting dicylatrithrithpalaphimides onto the market?", we'd bemoan.

So, I would argue that consumers tend to not know what they want, contrary to your conclusion #2. They're ignorant of the choices that they make every day -- especially in technology areas where (believe it or not), /.ers tend to be highly educated.

For example, my Dad knows now that he didn't want to waste the time buying a new computer or having someone fix his current one. But since he was largely ignorant of how his online behaviors (not patching Windows, running IE, opening every attachment he received, etc.) would devastate his desktop, he did all the things that he shouldn't have done. Now he knows, and he knows because he got to experience the pain of computer catastrophe and I spent a lot of "I told you so" time educating him as to what he had been doing wrong.

As conceited as it sounds, maybe we should be a bit shocked at the technology decisions made by everyday consumers. Maybe it's justified for us to have an air of superiority when we're talking about them. Consumers don't know what rootkits are, despite the fact that they're affected by them. Look at all the people who fall for 419 scams. They're not falling victim to them because of a personal preference that relativistically is just as valid as my preference to NOT fall for them. They're doing it because they're woefully and pathetically ignorant suckers who have no clue what they're doing.

The shittiest part is that when those woeful, pathetic suckers walk into the voting booth or spend a buck to support companies that do evil so they can get the latest ass-reamingly bad hip hop CD, their opinions count just as much as mine do. I have to suffer with their dumb consumerist, political ideologue influenced choices.

Since no one here uses windows

I don't see who this will be a problem.

Re:Since no one here uses windows

I use Windows Vista you insensitive cl

Re:Since no one here uses windows

[TheGratefulNet]

this is actually way beyond windows.

it SEEMS that this bill gives vendor-tunnels the OK. and also it notes that they can be stealth. you know, like the sneak and peek procedures we have today.

yes, this is the electronic form of sneak and peek.

and that is why you should be afraid of this. it gives remote 'special parties', well special priviledges on YOUR BOX.

this is such a bad idea, it must have come from congress and/or special interests.

this surely has NO benefit to We, The People ;(

Re:Since no one here uses windows

[bberens]

More than that, now a government official can get a warrant for [insert major company] who will gladly allow them access to your system via their pre-installed spyware. They're in your network and you don't even know it. More snooping without the ability to detect or fight in court. Remember, they're looking at the corporations records, not looking at your box (which you stand a chance to fight in court).

Re:Since no one here uses windows

[ozmanjusri]

There is no such thing as an totally invulnerable operating system.

Ok. Rootkit my Knoppix CD then.

Look! Rights go down the hole...

[Marrshu]

... there go more of our personal rights simply to support the big business and such. Who wants to guess how long it'll take Sony to restart their whole rootkit campaign? Can't forget Microsoft and all those ISPs that want to spy on you. Big Brother is watching you after all

Re:Look! Rights go down the hole...

[JesseMcDonald]

Democracy, privacy, and human rights are antithetical to the "free market".

You're right on the first point, but you've got the last one backwards: without a free market (i.e. freedom to act as you wish so far as it involves your own property, and freedom to engage in voluntary exchange with others without coercive interference) you cannot exercise those "human rights." You have human rights to the exact extent that you have property rights; they are fundamentally inseparable.

As far as democracy is concerned, you don't live in a democracy (assuming you live in the U.S. or Europe). The U.S. is a constitutional republic, and the important aspect of such a government is the constitutional limits, not the elections.

Re:Look! Rights go down the hole...

[JesseMcDonald]

How do you figure? How is my right to speak or move or breathe air tied to my property rights --- unless you consider me someone's property?

property right: the right to control how a piece of property is employed.

Move to where? That "somewhere" is either unowned, or someone's property. With private property rights you can own that place -- or receive permission from the owner -- and move to it freely. No one else can legitimately prevent you from doing so. On the other hand, if all the property is collectively owned, or belongs to the State, you'll need to get permission to move. Your right to move is thus artificially subject to someone else's will. (If all property is unowned and cannot be homesteaded then it cannot be employed by anyone (see the definition above), in which case you don't have the right to move anywhere. This is a fairly useless case but it ought to be mentioned. When most people speak of an absence of property rights they really mean ownership by the State, or collective ownership by all, which in a democracy is the same thing.)

You want to speak? I assume that means you want to address a group? Where will you do it, if no one owns any property? Without private ownership the use of suitable gathering places much necessarily be decided by majority vote, and/or the State. Resources are limited; not everyone who wishes to speak will be able to do so. If your position is in the minority good luck finding a place for your audience to hear you.

At a more fundamental level, if you don't own anything you cannot ensure your own survival -- food, shelter, defense -- or save for the future. If the Majority doesn't care much for you they can reallocate your rations elsewhere, leaving you to starve. If you objected then you'd be claiming a right to that food, that shelter; a property right, to be exact. But on what basis? You didn't produce that food, or construct that shelter. In a private property system you could claim that the prior owner gave it to you in exchange for something else of value, but without private property you are necessarily at the mercy of the State.

Property rights are essential for survival. Private property rights are essential for freedom.

Spying Is Ok... If You Have Money

[Wandering+Wombat]

So now they're just making the cash-enema legal? I guess it beats all the lying and sneaking and stealing... just change what's considered "legal" until you can do whatever you want!

If you have money.

If companies can install spyware...

[LamerX]

...then all spyware will be legal. COMPANIES are the ones who install spyware in the first place. It's there for ADVERTISING. Who does advertising? COMPANIES! This bill will only completely legalize spyware.

Di not use Vista and other DRM enabled tech

[roman_mir]

We had this discussion before. The law will make it perfectly legal to spy on you, and you new shiny OS will make it perfectly impossible (well, as long as DRM works) for you to prevent this by technical means.

People who say that it doesn't matter to them, whether Vista has DRM or not as long as they can play their games, maybe surprised to find out that the DRM may make it impossible for them to enjoy their games through enabling the spying and whatever other active measures that can be taken by spying software. Do you like modifying your games in any way? It may become impossible if you are on a DRM platform and you are spied upon. Of-course there are those, who would rely on the DRM to be broken but this is not a very good practice to rely on that, I mean there are so many problems with that, for example why would you trust a 'DRM removing patch' from someone to be spyware/rootkit free? It is better to avoid such products altogether. Avoid DRM products, avoid spyware infected products, that's the only way to really stay in the clear. Besides, isn't it illegal to remove 'security protection' under DMCA anyway?

Free Software becomes more and more attractive in this culture of customer spying and DRM locking every day.

Another reason to use

[drgonzo59]

...open source software. Even in the Linux world that means not using binary drivers. Who knows perhaps Nvidia or other binary drivers have a backdoor installed at the request of NSA. Is that probable - No. Possible? - Maybe. AT&T for example was diverting (still is?) a lot of the their data to NSA, if they wrote drivers, don't you think they would be willing to include a backdoor for U.S. government to use? For all we know such a backdoor exists in Windows. After a high number of cyber attacks on .mil, I am sure Uncle Sam can ask Microsoft to install a small code fragment that would allow access to any machine after say a pre-determined pattern of socket connection attempts or something like that.

Seems like a non-issue to me.

[WhiteWolf666]

What's the deal?

Why do people think you can legislate your way out of these issues? Spyware, spam, etc . . .

For e-mail, use a system that is not susceptible to spam (good filtering, and a white list).

For software, use a system that is not susceptible to spyware (OS X, or Linux).

Spyware doesn't bother me now, it hasn't bothered me in the past, and it won't bother me in the future. If you've got a problem with spyware, either stop buying products from the people who are infecting your system (ahem, Sony), of stop buying systems that are prone to infection (ahem, Microsoft).

If a company sells you an unsafe car, do you blame the government, or the car company? And having been sold 2 or 3 unsafe cars already, why would you go back to the same vendor?

Non issue. Something Congress shouldn't discuss or legislate about. Get over it, and stop being a slave to the MS monoculture.

Re:OK, What Am I Missing?

[powerpants]

I don't see anything to get terribly alarmed about. What am I missing? The bandwagon.

Moral vs. Legal

[mrbluze]

Moral desensitization leads to legal deregulation. With enough exposure and promotion, the public will accept the legalization of just about anything (as history has shown). It is in the interests of large businesses to protect their market and to discover new markets by having the upper hand in intelligence.

The problem has become that legitimate and morally acceptable markets are generally well serviced and difficult to break into. Companies are therefore very tempted to create new markets, or break into markets which hitherto have been illegal (usually because they are viewed as immoral or socially destructive), such as porn, prostitution, addictive substances, and now privacy invasion.

As the only way to create these kinds of markets is to change legislation, these companies are very active in infiltrating and influencing government. The US government is particularly prone to this kind of corruption.

All of this is obvious. But the techniques used are subtle. They will try to sell the idea to make it appear to be in the public interest. Who knows, maybe we can expect to see a report of a missing child found because of spyware, or some shit like that.

blame the OS

[Grinin]

I think that software companies behind the Operating systems being used today should take full responsibility at prevention and removal of spyware/adware/malware. There should be no need for anti-virus software. Microsoft should stay ahead of virus writers in order to patch systems with vulnerabilities, and in a much better way then the present.

This weekend, I was given a PC that needed to have viruses, spyware, malware removed... I thought it was a joke, this thing looked like a honeypot. It had every trojan known to man on it, every piece of spyware, backdoor, and virus had infected it, and no form of security (besides Service Pack 1 for XP). After 4 days straight trying to remove them (formatting not being an option, because the person was missing their OS restore cd and/or Windows XP home edition CD) I have finally gotten all of them removed... but my point, is that none of this should have ever been possible. An operating system should be designed more intelligently than those who want to exploit those same operating systems. I'm sure if they took the same amount of time they spend trying to promote new products and put it into better R&D for patching vulnerabilities, none of this would happen... but I suppose we don't know who scratches whose back in the world of Operating system / Anti-virus vendor's anymore....

Re:OK, What Am I Missing?

[NeutronCowboy]

Are you serious, or just trolling? Here are the key snippets: "or for the detection or prevention of fraudulent activities" and "an affirmative request by the owner or authorized user for an update of, addition to, or technical service for, the software".

The first part means that anyone who sold you hardware or software can snoop around on your machine if they are doing it to detect fraudulent activities - meaning when the activity hasn't happened yet! Yes, yes, you have nothing to hide. Are you sure? Your SSN is probably around somewhere. As is your bank account, or a lot of others things valuable to identity thieves.

The second parts means that anyone who ever wrote any type of software can access your machine in whatever way they please - as long as it's a discrete interaction.

This means that the security features in your OS are there only to prevent you from accessing everything in it. It is expected to remain open so that law enforcement, ISPs, software and hardware owners can check for anything they please.

In short, your computer is yours and secure only in name. Anybody else can trespass pretty much at will. If your computer is broken into and the other party says "I was just checking if anything fraudulent was going on", they're in the clear. Especially if they are a large corporation.

Re:OK, What Am I Missing?

[HTH+NE1]

Exception Relating to Security- Nothing in this Act shall apply to--

                (1) any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a... software provider... for the detection or prevention of fraudulent activities;

OK, your ISP can do network trouble shooting. Your HW / SW vendor can provide on-line tech support. Seems reasonable to me.

                (2) a discrete interaction with a protected computer by a provider of computer software solely to determine whether the user of the computer is authorized to use such software, that occurs upon -- (A) initialization of the software;

Microsoft can run their "Genuine Advantage" crap. Not thrilled about it, but not surprised.

I don't see anything to get terribly alarmed about. What am I missing?

You're letting intervening words distract you. See my excerpts in the quotation above.

So even if you have never installed, for example, Adobe software, Adobe can monitor your computer to determine if you ever run an illegal installation of Photoshop. No sunset on the monitoring; they can continually probe your machine in suspicion of piracy. That'll degrade your bandwidth. And not just Adobe will be permitted to do it, but every software vendor out there. They don't have to be your provider, just a provider.

Also "initialization" is a nebulous term. Are you sure you know how the law defines it? It could easily be phoning home with every launch, or perhaps with every forked process. A perverted vendor could treat it as initialization of any variable, constantly phoning home to make sure every thing you do does not violate their EULA.

Meanwhile, Windows Genuine Advantage has had a not insignificant number of false detections of installations as non-genuine. A little hiccup in an algorithm and they'll cripple the software. Better hope its use wasn't essential to your business. BTW, the EULA makes it clear it should never be used for any essential purpose and disclaims any liability for failure to operate.

Next, read the full text of the act for the prohibited behaviors and realize that with these exceptions it gives those entities license to do every one of them to you whenever and however often they'd like with impunity.

Re:This will legalize the NSA Spying and more

[TheGratefulNet]

I have Good Reason To Believe(tm) that there is already a shadow set of remote management commands that are not documented in standard user manuals for SOME comms equipment. these allow remote access to networking equip (entirely at the request of the gov, who is paying for such R&D in some key companies) and things like port mirroring, packet capture, triggering and so on.

you think you have the 'docs' to the equipment in your data comm room? are you sure? in fact, its all closed-source and there's very little you can do about it ;(

and in fact, most people IN the comms equiment vendor don't even know about this behind-the-scenes stuff.

I'm not kidding and I'm not nuts. this isn't hard to extrapolate given how our gov is SO hell-bent on spying on its own citizens.

at this point, you do pretty much have to assume that all things you do on the net (this included) are being sniffed and if it 'hits' the right triggers, remote events can be sent or log data retrieved at will.

its basically already too late. the horses are already out of the barn. just - BE AWARE of that fact. its all you can do. just be aware.

Re:This will legalize the NSA Spying and more

[PitaBred]

You mean, bomb the kill president New York?

State law will still supercede it, because:

[Pap22]

When it says "Nothing in this Act shall apply to", that doesn't mean "the following is legal". It means, "Nothing is in the books about the following as far as this bill is concerned".

So if an existing Federal or state law specifically mentions that a provider or software vendor may never access your computer under any circumstance, then that law will supercede this bill.

Or am I missing something?