Would An Anti-Spyware Law Do More Harm Than Good?
from the if-past-experience-is-any-indication... dept
Some folks in Congress have been pushing for anti-spyware laws for a few years now without much luck. It seems to get through the House and then get shot down in the Senate. Once again, a bill has sailed through the House, and the backers are hopefully it will get Senate approval this time around. However, the bigger question is whether such a law would actually help or hurt. There are a number of reasons to think that it would do more harm than good. First, any bill needs to “define” spyware — which is always a bit problematic. It can be even more problematic because everyone is confused over the name “spyware” which focuses on the spying part. The thing that is most annoying about most of these apps isn’t the “spying” but the surreptitious installs. Also, if the CAN SPAM law is any indication of how this works, it’s unlikely to help at all. In fact, all it really does is better define what you need to do to make “legal” spyware. That could make the problem much worse as companies figure out ways to obey the letter of the law, while violating the spirit of it. At the same time, it’s not clear that this law is even needed. As we’ve seen recently, folks like the FTC and New York’s Attorney General have been getting aggressive in going after the worst offenders with existing laws already in place. While we’re sure that the backers of this anti-spyware bill have the best of intentions, the end result is unlikely to be helpful, and could actually be quite harmful.
Comments on “Would An Anti-Spyware Law Do More Harm Than Good?”
kinda like spam
there is a plus side to all this though, if companies obey the ‘letter of the law’, like some of the spam idiots have it makes finding things easy.
Especially if such programs end up containing a reference to the legislation that ‘proves they are not spyware’ somewhere, since it can’t be too hard to look for that, and sort of filter out the programs from installing. should at least cut down *some* of this stuff, frankly any reduction is probably a good thing.
all the law *must* do is make sure that the computers owners right to decide what is and is not installed is held to be paramount, thus avoiding license agreements that claim ‘uninstalling is a violation’ being enforced anywhere.
given the way courts have handled attempts to have anti-spam programs banned or restricted I can see this going the right way however, especially with a judge who has ever suffered from a popup.
defining spyware/malware is easy (on a personal level) its “something I don’t want”, the easy way is to legislate that a program must make its functions visible, non of this hidden crap, and everything *must* have a working un-install.
of course nothing is going to stop all the overseas rubbish, but as I say, if it cuts down even 5% of this rubbish it may be worth doing.
oh yes, and include penalties that allow your courts to go after the people benefitting from all this if they are in the states as well please, to avoid the problem being offshored while all the data flows home.
Re: kinda like spam
“the easy way is to legislate that a program must make its functions visible, non of this hidden crap”
Unfortunately, you’ve just legislated away any background service running on any operating system. Do you think the average user knows how to manually set up a network connection, or would they rather just plug the computer into “that box I was told to attach it to”. It’s hidden background services that make that possible.
A working uninstall, that doesn’t need to hit the internet to remove the application, would be welcome, and easy to do as well.
Re: Re: kinda like spam
not really, making a function ‘visible’ means it appearing in task lists, not masking its name or using stealth to hide.
it doesn’t mean it has to scream that its running, but if you look it must be there.
also the fact it will be running gets listed in the install.
as an aside i’d love for microsoft to ‘sign’ everything that comes with windows, so task mamanger can show me whats running that *didn’t* come as part of the os. ala all the pre installed crapware
Re: Re: Re: kinda like spam
I don’t see how being visible in the task manager is going to help that much – sure I know *you* know how to check this and look for bad stuff, but your average user isn’t going to be able to. If you aren’t carefull, by stating that spyware is all software that display itself you legitimise the pieces that do (and I bet a load would start to show themselves so they are able to declare legally they aren’t spyware)
I too would love MS to sign stuff and have often thought the same thing, but the problem is that if they do this you let your guard down, once that happens all the bad guys have to do is figure out how to hack the signing process (not so hard given folks already hacked out the protection for Vista), and suddenly people start ignoring that nasty program cos its part of windows….
Don’t get me wrong – I would love to do something about spyware, something that would really hurt the creators (I work in end user IT security). I just don’t think that this approach is the way
Re: Re: Re:2 kinda like spam
thinking of it, i’d hav been happy with a list of what actually is on the windows discs, so its possible to see what ‘could’ be running, oh the md5’s for the processes and what they do would be nice. matter less now that google can o some of this. ironic google helping microsoft but there you go.
Law?
Why bother? If you want the best defense against spyware, just use free (as in speech) software.
Spyware
Surely the easiest way is to simply BAN all third-party installs when software is installed.
Then when you start the app for the first time it asks you to MANUALLY install the spyware/adware app warning you the product is advert supported and offering you an uninstall for the main app if you didn’t realize this when you got the program.
With such a warning ALL non-user chosen apps would instantly be breaking the law if they install advertising/spyware without having the user MANUALLY double click an EXE to install.
The other cool thing would be a STANDARDIZED and short spoken AND text warning such as:
“THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE”
this site is great i like it very much.
Up to $3 Million in Fines Per Violation
Someone would have to OPT-IN for the following:
Perhaps it is the amount of the potential penalties that may be one factor. Also, many of these malware attacks are not in the USA and may not be practical to litigate.
anti spyware law
one was allready passed in 2004 a lot of good that one did it afected olny two compainies I know of.
highly ill conceived
Any attempt at this will create a frivolous lawsuit magnet.
I hate spam as much as anyone, but I’d rather rely on my gmail spam filter and spf records than create new laws.
Re: highly ill conceived
I completely agree. This is just anoter one of thousands of laws “meant” to protect us but we aren’t all complete idiots. Some of us can actuially function on a daily basis without these laws. Wow, could that be possible?
Why do the ‘legal’ types never stop whining about spam? I swear – every place I’ve ever worked in it, the legal departments cry, complain, and bitch more about spam than anyone.
Guess it makes sense they would want a ‘law’ against it.
So ok – yeah, ummm… go prosecute some guy in China that’s sending email spam through some small US company’s exchange 5.5 server with an open relay.
Most spammers already go to lengths to avoid blacklists and such as are already adept at dodging the ‘system’.
What About Micro$oft?
Everyone seems to forget that Micro$oft is the company that does the most “hidden installs” and changes to people’s computers. Do they spy on you?
Well, figure out why they only provide half a firewall! It blocks “incoming” but ignores “outgoing”, like spyware, Duh!
Micro$oft will never allow such a law.
Arguing Black is White...
There’s lots of good ideas in the other posts but I’ve met people (and worked with them) who could rip most of them apart easily, install spyware on your machine and still be able to obey the letter of the law as Mike says
We have two problems here:
1) Make the law too defined and you are going to cut out legitimate business and technology models
2) Make it too loose and its going to be easy to work around and effectively legalise some spyware
Sorry to do this but for example – taking apart some of the arguments already presented
all the law *must* do is make sure that the computers owners right to decide what is and is not installed is held to be paramount
A lot of spyware already is installed specifically by users who simply don’t understand that “In order to work properly this software will send information to….” = spyware
the easy way is to legislate that a program must make its functions visible, non of this hidden crap,
Define hidden – there’s a lot of modules legitimate programs install that they don’t specifically tell you about (most users wouldn’t understand what they are anyway) I’ll just put my spyware in the ‘automatically download security updates’ module then – you’re bound to want that
everything *must* have a working un-install.
I agree but define working – I’d write something which uninstalled itself fully on demand, but would not reverse configuration changes made to the OS itself on install which made you more vulnerable to direct attack, since I “can’t” reverse these changes as I have no way of knowing if other programs rely on them now. Obviously I’d exploit your vulnerability from my overseas company
if it cuts down even 5% of this rubbish it may be worth doing.
But if it potentially legalises 10%…..
include penalties that allow your courts to go after the people benefiting from all this if they are in the states as well please
YES – definitely agree with you there that this is the way ahead – but this is another story
surely the easiest way is to simply BAN all third-party installs when software is installed.
That would make programs which download 3rd party drivers, java, activex etc potentially illegal
Then when you start the app for the first time it asks you to MANUALLY install the spyware/adware app warning you the product is advert supported and offering you an uninstall for the main app if you didn’t realize this when you got the program. THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE
This may be the best suggestion to it all but the basic underlying problem is that this is already done for a lot of the stuff out there (emoticons used to do this a lot – don’t know if they still do this) but the warnings are hidden in the ultra wordy EULA and even then people (my kids included) don’t know what this means so click any way.
The problem is that all of these suggestions (and some of them are good) in the end rely on users understanding the issues involved and my experience is often they don’t – nor should they have to
Passing laws like this that attempt to define are dangerous as they open loopholes and give a patina of legality to software which narrowly gets around them
Although I appreciate the attempt by Congress to do something, this may be misguided (although a vast improvement on attempts in other areas)
Finally (if you have read this far) if you do pass these laws and they do work, the adware manufacturers will all move to China….
Stick to fining the companies being advertised – it’s more straightforward, does not risk legalising some spyware and should work, when going after an army its usually best to strangle the supply lines than face them head on….
The Best Suggestion?
Enrico comments:
“THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE
This may be the best suggestion to it all […]“
Umm…or, you could just use free (as in speech) software.
Re: The Best Suggestion?
Actually I was quoting another post for the bit but fair enough since you’ve mentioned it twice i’ll bite…
Umm…or, you could just use free (as in speech) software.
Define ‘free (as in speech) software’ what exactly is this? ARe we talking open source software? And if so how exactly does this help reduce spyware? (other than open source spyware filters obviously)
Why a law won't work
1) It only applies to advertisers within the US…
2) …that you can catch…
3) …that will actually care about a law that stands between them and making a buck.
Personally I am of the opinion that the only thing that would affect a spyware/spammer (they both have the same mentality) is to make them bear the cost in some way.
When net vigilantes signed Alan Ralsky up for thousands of catalogs, he saw it as “harassment”, but refuses to understand that this highly analogous to the harassment that he causes others.
Another way might be for major corporations to sue them for cleanup costs.
the best defense
Enrico asks:
“how exactly does [free software] help reduce spyware?“
Enrico, I decided to answer that question in full here. You also asked for a definition of “free software” which is provided in links on that post.
Hope that helps.
Sorry – heavy workload
The line I typed above makes no sense – it should be
by stating that spyware is all software that DOESN’T display itself you legitimise ALL the pieces OF SOFTWARE that do
Sorry
Or we could
Or we could simply require everyone buying a internet connection take a small test. This test would include things like plugging the computer into the modem/wall jack (for those people still stuck on 56k.) Basic internet security (Firewall, spybot, adaware, antivirus software) and anybody who failed to pass with at least (roughly) a 95% is simply refused. The correct answers would not be given after the test and in order to get said internet connection the person who was attempting to purchase it would go to a free internet security seminar(Discussing the above mentioned internet security tools)and would have said test re-administered.
We don’t need to legislate, we need to educate.
Rstr
Re: Or we could
Nice idea but a little arrogant maybe? Just because computers are something you use and understand doesn’t mean they are something that everyone will or should (at least not to the depth required to counter spyware which is often far from basic)
This even leaves out the fact that a lot of spyware installs without the users consent in any manner using backdoors
Do you have a full in depth understanding of everything you use? Everything?
Why should computers be treated any different?
Re: Or we could
Re: Comment 20 by rstr5105
> spybot, adaware, antivirus software […yada, yada, yada…]
What about those of us who have the intelligence choose an OS and browser that don’t run Active-X drive-by-downloads? There are some OS’s where there *IS* a difference between *OPENING* an attachment versus *EXECUTING* that same attachment.
A firewall is still a good idea, but howsabout testing on the actual computer the user will be using.
Enrico asks:
“how exactly does [free software] help reduce spyware?“
This is an important question. I answer that here.
re enrico
I don’t have FULL depth understanding of everything I use, But I won’t use something until I have more of an idea than, push this button to turn it on.
Basic malware scans and internet security should be a MUST for everyone.
I’m not saying it will eliminate the problem, and maybe it is just a bit arrogant, but it will help.