Would An Anti-Spyware Law Do More Harm Than Good?
from the if-past-experience-is-any-indication... dept
Some folks in Congress have been pushing for anti-spyware laws for a few years now without much luck. It seems to get through the House and then get shot down in the Senate. Once again, a bill has sailed through the House, and the backers are hopefully it will get Senate approval this time around. However, the bigger question is whether such a law would actually help or hurt. There are a number of reasons to think that it would do more harm than good. First, any bill needs to "define" spyware -- which is always a bit problematic. It can be even more problematic because everyone is confused over the name "spyware" which focuses on the spying part. The thing that is most annoying about most of these apps isn't the "spying" but the surreptitious installs. Also, if the CAN SPAM law is any indication of how this works, it's unlikely to help at all. In fact, all it really does is better define what you need to do to make "legal" spyware. That could make the problem much worse as companies figure out ways to obey the letter of the law, while violating the spirit of it. At the same time, it's not clear that this law is even needed. As we've seen recently, folks like the FTC and New York's Attorney General have been getting aggressive in going after the worst offenders with existing laws already in place. While we're sure that the backers of this anti-spyware bill have the best of intentions, the end result is unlikely to be helpful, and could actually be quite harmful.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
kinda like spam
Especially if such programs end up containing a reference to the legislation that 'proves they are not spyware' somewhere, since it can't be too hard to look for that, and sort of filter out the programs from installing. should at least cut down *some* of this stuff, frankly any reduction is probably a good thing.
all the law *must* do is make sure that the computers owners right to decide what is and is not installed is held to be paramount, thus avoiding license agreements that claim 'uninstalling is a violation' being enforced anywhere.
given the way courts have handled attempts to have anti-spam programs banned or restricted I can see this going the right way however, especially with a judge who has ever suffered from a popup.
defining spyware/malware is easy (on a personal level) its "something I don't want", the easy way is to legislate that a program must make its functions visible, non of this hidden crap, and everything *must* have a working un-install.
of course nothing is going to stop all the overseas rubbish, but as I say, if it cuts down even 5% of this rubbish it may be worth doing.
oh yes, and include penalties that allow your courts to go after the people benefitting from all this if they are in the states as well please, to avoid the problem being offshored while all the data flows home.
[ link to this | view in chronology ]
Re: kinda like spam
Unfortunately, you've just legislated away any background service running on any operating system. Do you think the average user knows how to manually set up a network connection, or would they rather just plug the computer into "that box I was told to attach it to". It's hidden background services that make that possible.
A working uninstall, that doesn't need to hit the internet to remove the application, would be welcome, and easy to do as well.
[ link to this | view in chronology ]
Re: Re: kinda like spam
it doesn't mean it has to scream that its running, but if you look it must be there.
also the fact it will be running gets listed in the install.
as an aside i'd love for microsoft to 'sign' everything that comes with windows, so task mamanger can show me whats running that *didn't* come as part of the os. ala all the pre installed crapware
[ link to this | view in chronology ]
Re: Re: Re: kinda like spam
I too would love MS to sign stuff and have often thought the same thing, but the problem is that if they do this you let your guard down, once that happens all the bad guys have to do is figure out how to hack the signing process (not so hard given folks already hacked out the protection for Vista), and suddenly people start ignoring that nasty program cos its part of windows....
Don't get me wrong - I would love to do something about spyware, something that would really hurt the creators (I work in end user IT security). I just don't think that this approach is the way
[ link to this | view in chronology ]
Re: Re: Re: Re: kinda like spam
[ link to this | view in chronology ]
Law?
[ link to this | view in chronology ]
Spyware
Then when you start the app for the first time it asks you to MANUALLY install the spyware/adware app warning you the product is advert supported and offering you an uninstall for the main app if you didn't realize this when you got the program.
With such a warning ALL non-user chosen apps would instantly be breaking the law if they install advertising/spyware without having the user MANUALLY double click an EXE to install.
The other cool thing would be a STANDARDIZED and short spoken AND text warning such as:
"THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Up to $3 Million in Fines Per Violation
Perhaps it is the amount of the potential penalties that may be one factor. Also, many of these malware attacks are not in the USA and may not be practical to litigate.
[ link to this | view in chronology ]
anti spyware law
[ link to this | view in chronology ]
highly ill conceived
I hate spam as much as anyone, but I'd rather rely on my gmail spam filter and spf records than create new laws.
[ link to this | view in chronology ]
Re: highly ill conceived
[ link to this | view in chronology ]
Guess it makes sense they would want a 'law' against it.
So ok - yeah, ummm... go prosecute some guy in China that's sending email spam through some small US company's exchange 5.5 server with an open relay.
Most spammers already go to lengths to avoid blacklists and such as are already adept at dodging the 'system'.
[ link to this | view in chronology ]
What About Micro$oft?
Well, figure out why they only provide half a firewall! It blocks "incoming" but ignores "outgoing", like spyware, Duh!
Micro$oft will never allow such a law.
[ link to this | view in chronology ]
Arguing Black is White...
We have two problems here:
1) Make the law too defined and you are going to cut out legitimate business and technology models
2) Make it too loose and its going to be easy to work around and effectively legalise some spyware
Sorry to do this but for example - taking apart some of the arguments already presented
all the law *must* do is make sure that the computers owners right to decide what is and is not installed is held to be paramount
A lot of spyware already is installed specifically by users who simply don't understand that "In order to work properly this software will send information to...." = spyware
the easy way is to legislate that a program must make its functions visible, non of this hidden crap,
Define hidden - there's a lot of modules legitimate programs install that they don't specifically tell you about (most users wouldn't understand what they are anyway) I'll just put my spyware in the 'automatically download security updates' module then - you're bound to want that
everything *must* have a working un-install.
I agree but define working - I'd write something which uninstalled itself fully on demand, but would not reverse configuration changes made to the OS itself on install which made you more vulnerable to direct attack, since I "can't" reverse these changes as I have no way of knowing if other programs rely on them now. Obviously I'd exploit your vulnerability from my overseas company
if it cuts down even 5% of this rubbish it may be worth doing.
But if it potentially legalises 10%.....
include penalties that allow your courts to go after the people benefiting from all this if they are in the states as well please
YES - definitely agree with you there that this is the way ahead - but this is another story
surely the easiest way is to simply BAN all third-party installs when software is installed.
That would make programs which download 3rd party drivers, java, activex etc potentially illegal
Then when you start the app for the first time it asks you to MANUALLY install the spyware/adware app warning you the product is advert supported and offering you an uninstall for the main app if you didn't realize this when you got the program. THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE
This may be the best suggestion to it all but the basic underlying problem is that this is already done for a lot of the stuff out there (emoticons used to do this a lot - don't know if they still do this) but the warnings are hidden in the ultra wordy EULA and even then people (my kids included) don't know what this means so click any way.
The problem is that all of these suggestions (and some of them are good) in the end rely on users understanding the issues involved and my experience is often they don't - nor should they have to
Passing laws like this that attempt to define are dangerous as they open loopholes and give a patina of legality to software which narrowly gets around them
Although I appreciate the attempt by Congress to do something, this may be misguided (although a vast improvement on attempts in other areas)
Finally (if you have read this far) if you do pass these laws and they do work, the adware manufacturers will all move to China....
Stick to fining the companies being advertised - it's more straightforward, does not risk legalising some spyware and should work, when going after an army its usually best to strangle the supply lines than face them head on....
[ link to this | view in chronology ]
The Best Suggestion?
"THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE
This may be the best suggestion to it all [...]"
Umm...or, you could just use free (as in speech) software.
[ link to this | view in chronology ]
Re: The Best Suggestion?
Umm...or, you could just use free (as in speech) software.
Define 'free (as in speech) software' what exactly is this? ARe we talking open source software? And if so how exactly does this help reduce spyware? (other than open source spyware filters obviously)
[ link to this | view in chronology ]
Why a law won't work
2) ...that you can catch...
3) ...that will actually care about a law that stands between them and making a buck.
Personally I am of the opinion that the only thing that would affect a spyware/spammer (they both have the same mentality) is to make them bear the cost in some way.
When net vigilantes signed Alan Ralsky up for thousands of catalogs, he saw it as "harassment", but refuses to understand that this highly analogous to the harassment that he causes others.
Another way might be for major corporations to sue them for cleanup costs.
[ link to this | view in chronology ]
the best defense
"how exactly does [free software] help reduce spyware?"
Enrico, I decided to answer that question in full here. You also asked for a definition of "free software" which is provided in links on that post.
Hope that helps.
[ link to this | view in chronology ]
The line I typed above makes no sense - it should be
by stating that spyware is all software that DOESN'T display itself you legitimise ALL the pieces OF SOFTWARE that do
Sorry
[ link to this | view in chronology ]
Or we could
We don't need to legislate, we need to educate.
Rstr
[ link to this | view in chronology ]
Re: Or we could
This even leaves out the fact that a lot of spyware installs without the users consent in any manner using backdoors
Do you have a full in depth understanding of everything you use? Everything?
Why should computers be treated any different?
[ link to this | view in chronology ]
Re: Or we could
> spybot, adaware, antivirus software [...yada, yada, yada...]
What about those of us who have the intelligence choose an OS and browser that don't run Active-X drive-by-downloads? There are some OS's where there *IS* a difference between *OPENING* an attachment versus *EXECUTING* that same attachment.
A firewall is still a good idea, but howsabout testing on the actual computer the user will be using.
[ link to this | view in chronology ]
"how exactly does [free software] help reduce spyware?"
This is an important question. I answer that here.
[ link to this | view in chronology ]
re enrico
Basic malware scans and internet security should be a MUST for everyone.
I'm not saying it will eliminate the problem, and maybe it is just a bit arrogant, but it will help.
[ link to this | view in chronology ]