Why Would The Copyright Lobby Be Concerned About An Anti-Spam Bill?
from the because-it-may-hurt-their-rootkits dept
Up in Canada, there have been ongoing discussions and negotiations over an anti-spam law. While I have various reservations over anti-spam legislation (here in the US it’s done little to stop spam, but plenty to outline how to “legitimately” spam people), it’s a bit surprising to find out that the copyright lobby is heavily involved in the process as well. Why would the copyright lobby care about an anti-spam bill? Apparently, they’re afraid that it’ll hinder their use of DRM, since the current bill requires consent before installing software on computers. And, as we learned in Sony’s famous rootkit debacle, plenty of DRM works by surreptitiously installing software that watches what you do with content. Of course, the last thing the entertainment industry would want is to be required to be 100% upfront and truthful with you when it’s installing spyware/DRM on your computer. That would — in their minds — defeat the point.
So, the copyright lobby has been making sure to water down the bill, to try to cut out the language that would cover their use of surreptitious spyware/DRM:
Sources say that the Liberals have introduced a motion that would take these practices outside of the bill. In its place, they would define computer program as, among other things, “a program that has as its primary function…inducing a user to install software by intentionally misrepresenting that installing that software is necessary to safeguard security or privacy or to open or play content of a computer program.” This sets such a high bar – primary function, intentional mispresentation – that music and software industry can plausibly argue that surreptitious DRM installations fall outside of C-27.
And, of course, once the copyright lobby can put spyware on your machine, they want to be sure they can spy on you and use that information against you:
PIPEDA currently features a series of exceptions to the standard requirements for obtaining consent for the collection of personal information (found in Section 7). Bill C-27 includes a provision that bars those exceptions in cases involving computer harvesting of email addresses and the “collection of personal information through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed without authorization.” In other words, email harvesting and spyware would not be permitted and would not qualify for the PIPEDA exceptions found in Section 7.
The copyright lobby is deeply concerned that this change will block attempts to track possible infringement through electronic means. The Section 7(1)(b) exception in PIPEDA currently states that collecting personal information without consent or knowledge of the individual is permitted if it is reasonable to expect that the collection “would compromise the availability or accuracy of the information” and the collection is “related to investigating a breach of an agreement or a contravention of the laws of Canada.”
It’s really stunning what kind of sense of entitlement the entertainment industry has — insisting that it should have the right to install spyware on your computer without you knowing about it, and to then collect all sorts of private info about you and what you do on your computer. Shameful.
Comments on “Why Would The Copyright Lobby Be Concerned About An Anti-Spam Bill?”
The ineffectiveness of legislation
Your most important point is the first one: the absolute ineffectiveness of all anti-spam legislation. It is a pointless exercise, supported only by (a) the naive and (b) spammers. Everyone with even modest clue in this area knows, for example, that the pro-spam lobby wrote most of the provisions in the US CAN-SPAM bill and that they’re quite delighted with the results. Now we see that in Canada, the same thing is happening: abusers are pouring money and resources into writing a bill that will do nothing to stop spam — in fact, it will increase it and provide legal cover for it. AND as a bonus, it’ll make deliberately compromising end-user systems legal.
I’ve been paying attention to the spam problem for over a quarter century now (I released the first anti-spam program ever back in the mid-80’s) and one of the things I’ve noticed is that legal action against spammers is infrequent, inept, and self-serving. That is: it’s only undertaken under two circumstances: (1) when a sufficiently powerful corporation co-opts the mechanisms of government or (2) when someone needs to score political points. In both these cases, it’s important to recognize that the goal of such action is not to stop spam; they couldn’t care less about that. It’s a PR exercise, and if it incidentally decreases spam temporarily, well, that’s a minor bonus.
Worth noting as well is that even if the perfect anti-spam bill (whatever that looks like) was enacted anywhere in the world, it would do not good unless it was enacted everywhere, and that will never happen. And even if that far-fetched outcome came to pass: it would still do no good, as there are no resources (including budget, highly trained personnel, investigators, prosecutors, etc.) to enforce it.
And this is why the security theater continues — and why the spam problem continues to get worse. Spammers (and other abusers, like those implanting spyware) understand the game far better than the naive, pathetically clueless people who actually think anti-spam laws will work.
Re: The ineffectiveness of legislation
True, but this is about the copyright lobby, not about spam. I think legislation to prevent copyright maximalists from secretly installing software on my system would be quite effective, even if just to give me a legal reason to pursue them. To use an analogy, it’s one thing to send junk mail to my (streetside) mailbox, it’s quite another to secretly install surveillance gear inside my house to make sure I do nothing nominally illegal with my media, to report me if I do, and to potentially implicate not only myself, but my family and houseguests in the process. Keep fighting the good fight with respect to SPAM, but realize there may be battles to fight that are more important. Perhaps are 25 years you should consider shifting your focus a bit?
Re: Re: The ineffectiveness of legislation
Well, first, a pedantic point: it’s “spam”, never “SPAM”. The latter is a trademark of Hormel Corporation for one of their products, and is not related to unsolicited bulk email. I’ve been quite surprised over the years that they’ve actually been rather sanguine about our co-opting of the lowercase version of the term — any number of other companies would have adopted the “sue everyone” approach. So I think it’s reasonable to ask folks to avoid the uppercase form as a goodwill gesture back.
As to whether there are other battles that are more important: there certainly are, for example, the fight against breast cancer, where I also spend my time, money and energy. There are always “more important” battles based on our own perceptions and values. But there’s only time to tackle so many in a lifetime, and spam is one those I’ve committed to.
And as it turns out, the fight against spam/spammers is increasingly the fight about abuse/abusers in general, where that includes malware, spyware, DoS attacks, and quite a few other things. One of the major realizations of the past decade is that the people doing all these things are the same people; they’ve put together elaborate enterprises which (for example) use viruses to create botnets that are used to host phishing sites that are the payload in spam runs. Thus it turns out that folks studying malware, and folks studying botnets, and folks studying spam are all looking at different pieces of the same puzzle — and all of them can contribute to (well, we hope) understanding and countermeasures.
Re: Re: Re: The ineffectiveness of legislation
You should listen to Steve Gibsons security now podcasts. You know steve gibson was the first to make an anti spyware program, opt – out (I have it), and Lavasoft Ad – aware got their inspiration from him.
Re: Re: Re: The ineffectiveness of legislation
“… the pro-spam lobby wrote most of the provisions in the US CAN-SPAM bill”
“There are always “more important” battles based on our own perceptions and values. But there’s only time to tackle so many in a lifetime, and spam is one those I’ve committed to.”
You’ve said some very interesting things, do you have a blog? I would like to read more analysis on the subject. Or where are your sources, I want to look deeper in the subject.
I think E – Mails are (or at least were) a great way to spread important messages. Then again retarded things like chain letters get sent in E – Mails. But perhaps these anti spam laws were designed to prevent people from forwarding certain political speech or discussions/opinions on important issues? Hard to say.
I can’t find the legislation, so perhaps my memory is wrong, but at least in California (if not the U.S.) I remember on the news a long time ago that a bill was passed to limit what can be said on fortune cookies. Before this law was passed all sorts of strange things (ie: some fortune will bestow up you or some nonsense like that) were said on fortune cookies. The pretext behind limiting what could be said was to prevent them from giving people false hope or to prevent them from misguiding people (which is also nonsense). Now they say things but they don’t say as much and there are limits on what they can say. However, one thing I did notice is that lottery numbers are allowed on fortune cookies and, now, on the bottom of each fortune cookie is a lottery number. I don’t remember that from before. So perhaps the real reason for the law was to discourage certain things to be said for the purpose of encouraging them to put lottery numbers on fortune cookies to encourage people to buy more lottery tickets. I’m just guessing, don’t really know.
The point is that when laws are passed often times their alleged intent is not their true intent. If the spam lobby was behind much of the anti spam laws then that aloe is good reason to believe this might be one of those situations.
Due Process Anyone
Michael writes: “The copyright lobby is deeply concerned that this change will block attempts to track possible infringement through electronic means.” I am continuously dumbfounded that neither the public nor our lawmakers seem to fan the flames of outrage when private companies propose to monitor you However, if a law enforcement appears to be “profiling”, everyone jumps on the accusatory bandwagon whining about how they are being maliciously harmed. Private industry does not have a right to spy on you and our lawmakers need to put an end to this onerous practice.
Re: Due Process Anyone
“neither the public nor our lawmakers seem to fan the flames of outrage when private companies propose to monitor you”
It seems like such an opportunity to win political points and to simultaneously shine a bad light on your competition. There’s only one reason no one has done it already.
Installation of any software without user consent should be outlawed – there should not be one rule for one and another rule for another.
Equality under the law is an ancient right to be enforced in any age.
What separates the actions here of the entertainment industry and any other criminal? Nothing …. Except the criminal is probably more honest about their objectives.
What’s the most shameful to me is how incredibly easy it is for their lobby to write and pass legislation. It’d be nice if the “representatives” ran with a price tag to let voters know how much they’d have to raise to get actual representation.
Reply to Professor Geist
I am a strong supporter of the goals of the Canadian Government with respect to passing the Electronic Commerce Protection Act (ECPA). Malicious elements like spam and spyware are a serious impediment to Canadians’ ability to conduct business online and ought to be addressed through legislation. Amendments have been proposed to the ECPA that would re-tool these provisions so that they are more focused on the ills the Bill is attempting to address: spam and spyware. I believe much of what is written in this post is inaccurate and misleading. I have taken the time today to write a reply article that addresses many of the criticisms Professor Geist has made to these and other necessary changes to the Bill. I would ask that you please take the time to read my reply to his article. It can be found online on the front page of the blog I maintain on intellectual property law:
http://innovationandculture.wordpress.com/
Re: Reply to Professor Geist
This about James Gannon:
“James Gannon is an associate in our Technology Group in Toronto. His practice focuses on intellectual property, technology and Internet law issues. He represents a variety of clients in these fields, including media industry organizations and technology manufacturers.”
From: http://www.mccarthy.ca/lawyer_detail.aspx?id=6759
Re: Reply to Professor Geist
Ok, you do at the very least understand that what Sony did w/its rootkit installation was wrong, don’t you? How they essentially installed spyware?
Also, did Geist actually say that EVERY change made to the legislation was bad?
And thirdly, I simply don’t understand the point you’re trying to make about Antivirus companies with regards to the inclusion of language that mandates informing the end user that you’re installing something and the purpose of the software they’re installing. Most AV/AS software out there runs their definition updates hourly. I don’t see how a blanket agreement consenting to updates for the purpose of virus/malware defenitions would violate the legislation at all.
And even if it did, when a scan indicates it’s time for a definition update, a dialogue box pops open and says, “Hey, we need to get your software the names of some nasty new malware out there, cool?”, then you click “OK” and go about your business.
Is that really such a problem?
Re: Re: Reply to Professor Geist
Don’t waste your time responding to Gannon. His bot also spammed Geist’s site with the same canned note.
Re: Re: Re: Reply to Professor Geist
Not a spam bot, Marc. Just trying to bring my counter-arguments to wherever this story gets picked up. Also posted a copy to BoingBoing, who picked up on the story but seems to have modded out my post.
I also sent a copy to the Parliamentarians working on the Bill.
Re: Re: Reply to Professor Geist
Dark Helmet:
Yes it’s actually a huge problem. The proposed Bill goes way beyond simply requiring consent to installing updates. It says you have to describe in detail the “function, purpose and effect” of each program, patch, add-on, update, etc. Not just of your program, but also the reasonably anticipated effects on “every other program” that the user might be running. If you’re wrong, the original Bill put software companies on the hook for liabilities of $200 per instance. That was amended and changed to up to $1 million per day. It’s not hard to see how this would open things up to huge liabilities and class actions against software developers.
But I don’t see this as any kind of conspiracy against the software industry. It’s a complicated, technical Bill. Everyone’s working hard to get the language just right so that bad things (spam, spyware) are illegal, but common business practices aren’t. It’s very hard to get this just right, our elected Parliamentarians aren’t programmers, but they’re working hard and listening to a lot of people in order to pass an effective Bill.
Re: Re: Re: Reply to Professor Geist
“But I don’t see this as any kind of conspiracy against the software industry.”
Yes, because legitimate actions that can be expected (ie: enabled autoupdates from an antivirus getting those updates from the Internet) require consent but illegitimate nonsense from big industry spying on you without your consent is perfectly OK. Face it, the whole purpose of this is to turn the Internet and software writing into the scam that pharmaceutical corporations and mainstream media has become, where legislators (ie: FDA) play corporate favoritism against the consumers under the pretext of drug/computer safety/security. It’s all a bunch of nonsense.
Re: Re: Re: Reply to Professor Geist
“It’s very hard to get this just right”
Given the current laws in place for everything else I have VERY LITTLE faith that they’re even trying to serve the consumers whatsoever and I have very good reason not to trust them.
Re: Re: Reply to Professor Geist
Dark Helmet:
You wrote:
“Most AV/AS software out there runs their definition updates hourly. I don’t see how a blanket agreement consenting to updates for the purpose of virus/malware defenitions would violate the legislation at all.”
The original Bill required consent for EVERY patch, upgrade, etc. A lot of software companies said this was unworkable, and an amended version allowed for consent in advance, so that you could consent to the installation of a program and “all future updates”. The original Bill did not allow for that. The drafters listened to the concerns of software companies and amended the Bill as such. That’s when Prof Geist wrote his article “Businesses Resume Attacks on Anti-Spam Bill”.
Re: Reply to Professor Geist
I hate to tell you this, but both you and Michael Geist are probably wrong, and the best solution lies somewhere in between. Personally, I don’t want any of my personal information collected without my consent (either implied or expressed, depending on the situation). I have given my consent to businesses such as my bank to collect and store my personal information. I haven’t given my consent to random people or businesses on the net.
You too are misleading as well. Dr. Geist never described the various copyright lobbyists as a “united copyright lobby”. In fact, he explicitly states that they were lobbyists from the music and software industries. Sure, they were putting on a united front, but they are not a united lobby. They have the same concerns about the bill, and so would logically send the same messages to the MPs. It should also be noted that their lobbying efforts towards the bill are all about the interests of who they represent, not the interests of Canadian citizens. Sure, the prevention of wire-fraud, and the investigation into it is in the interests of Canadians, and therefore the concerns of the banks and law enforcement need addressing (just as a subset example). However, how I use legally purchased software is of no concern to the copyright holder unless I’m causing monetary damage to them (through copyright infringement), or are doing something illegal with it (which is the for the police to take care of). By allowing these exemptions, you allow a company to legally make a program that “phones home” to report the activities of that user for the purpose of “investigating a breach of an agreement” (i.e. a contract, e.g. a EULA) without the express consent or knowledge of the user. Wow, that’s a breach of privacy.
Perhaps both you and Dr. Geist need to think a little more critically.
Re: Reply to Professor Geist
Please research the term “spyware” and frame your responses with regards to the proposed legislation, which is intended to protect individuals, not the proposed changes which are intended to allow certain kinds of spyware, such as Sony’s rootkit DRM.
Spyware gathers information about a user’s system and activities without the user’s knowledge or consent. Covert DRM which “goes beyond copy protection” to track and report on a user’s activity is spyware and should be prohibited.
That the debate “never included discussion of DRM” does not dissolve the appearance that a united copyright lobbyist effort has taken the legislation hostage and is attempting to undermine any protections that would be affirmed by the originally proposed law.
Re: Reply to Professor Geist
James,
You’re a *personal* believer in “goals of the Canadian Government with respect to passing the Electronic Commerce Protection Act (ECPA).” or a *professional* believer?
For example, when you posted this comment at around 9AM Toronto time, did you bill any clients for the time you spend writing your blog or this comment?
You accuse Michael Geist of misdirection. OK, you’re a lawyer. Let’s get SVU on this case: What, prey tell is his hidden motive? He has a history of protecting consumer interests, and appears to be doing so now. On the other hand, you have a definite bias. Have you been involved in public policy debate regarding spam in the past, or is it only now that it behooves your clients?
Seems odd and suspiciously coincidental that a lawyer representing media firms should take time out of his workday, and choose a vocal side in a debate about spam.
Here’s the skinny. When you say a “broad range of Canadian businesses sought to work with the Government to re-tool this section so that these legitimate services would not be prohibited.” The reality is the ‘legitimate services’ to which you refer are more commonly know as spyware. You want to have an exemption to permanently install your pal’s crappy PC-colonoscope upside my computer. If given the choice, I would rather let the SPAM run free, but be certain to craft a specific law against the kind of spyware you seek to exempt. At least SPAM can be filtered, ignored, and deleted.
Sir, you act like the all-powerful Geist is out to get you. Ha! A U of O prof vs. the media industry!? And you think you’re the victim? You say the bill, if unedited, throws out the good with the bad. You are mistaken. Your ilk are not the baby being thrown out with the bathwater… You are the bathwater itself! Dirty, dirty water from a well somewhere near Walkerton.
Derek.
Re: Re: Reply to Professor Geist
Derek,
I’m not saying you’re asking bad questions, but I’m not responding to them. The tone of your post basically suggests you won’t listen to my answer and just look for ways to insist that it’s all just The Man telling me what to say.
I have no problem defending what I’ve written. If you ask your questions in a more respectful tone, I’ll be happy to answer them. Also, understand that some of what you’re asking involves confidential information. I know you’ll likely just presume the answers you’re looking for, but there’s not much I can do about that. On my scale of importance, respecting confidentiality ranks quite a bit higher than coming on top in Internet discussion board discussions.
Re: Re: Re: Reply to Professor Geist
Translation: “I’m going to ignore the content of your questions and instead focus on your tone, because that’s a convenient way for me to avoid addressing their substance. Then I’m going to further evade with vague references to confidentiality, never mind that NOTHING in this discussion should be kept from the public”
5 seconds before i come across a story like this I am always under the illusion that these scumbags cannot sink any lower than they already are… then i read an article like this and i see they have actually sunk lower than ever thought possible.
I say they can install all the spyware they want on my computer, but if at the end of the month if they dont find any “infringements” I should have a free reign to take a baseball bat against one of their execs skulls.
Then the month again resets to zero.
Re: Re:
i second this proposal.
all in favor?
say aye!
Oh, and about DRM...
Any system with embedded DRM is (as I like to put it) “pre-compromised at the factory”. That is, it has had a gaping backdoor installed, and is now insecure by definition.
The pro-DRM shills will bleat endlessly about how this isn’t the case, but they are either ignorant of basic security practice or are disengenuously ignoring it. Of course they are: they couldn’t possibly care less whether they decrease the security of end-users’ systems and thus correspondingly increase their exposure to attacks and abuse. What they care about is having the ability to not just passively spy on user activities, but to actively control them. (I trust everyone here realizes that the business about infringing content is just a charade.)
This same goal on their part is also responsible for their support of spyware and their incessant whining about how terribly, awfully hard it is for them to get along without it. Expect them to raise the volume on this and (if at all possible) to attempt to tie it to national security, since that makes it an easier political sell.
If you wanted effective legislation would you not separate spam from spyware and very clearly define and regulate both.
Seems you would get the same chaotic language if you attempted to outlaw unsolicited voice calls and the unauthorized tapping of voice lines into the same bill.
Re: Re:
Except the way we pass laws in the US, Canada, and most of Europe means that politicians have to try and cram as much content into each bill as possible. It takes much more time to draft and pass two small bills compared to a single larger bill, especially if there are numerous similarities between the two, as is the case here. If we didn’t double up on bills, then either many bills wouldn’t see the light of day, or our representatives would have to spend a lot more time in their respective legislative body.
Wait, I think I just solved all our problems.
Welcome all to the world of loop holes
By the time the Anti-Spam Bill passes, even the spammers will have the right to spy on you.
And the award for Knucklehead of the month goes to ...
I have always found it interesting how people assume that artist or anyone for that matter is wise and intelligent just because they are good in their field.
Re: Wrong Story: And the award for Knucklehead of the month goes to ...
Sorry, was suppose to be posted for: “Shepard Fairey Destroys…” story.
– Alan 🙁
It’s amazing that file sharing programs require some pop up telling people the nature of the program but it’s perfectly ok for spyware made by big corporations to be installed on your computer without your consent.
I promise you
Any company that manages to get anything like this on my pc will regret it.
Never ever piss off a SEO expert who can put his complaint pages on the first page of Google and draw your traffic off to listen to his point of view on just how scummy your company is.
Clearly this is a violation of the Forth Amendment under unreasonable search and seizure of private data contained in the United States Constitution.
Remember folks, because we live in a representational republic, we are all part of the government thus we are all subject to upholding an and all of the constitution, be we an individual or a corporation.
Make sure you remind each company you deal with of this fact every time you deal with them.
Re: I promise you
> Clearly this is a violation of the Forth Amendment under
> unreasonable search and seizure of private data contained
> in the United States Constitution.
No, it’s not.
First of all, this is a Canadian law affecting Canadian citizens. The US Constitution is entirely irrelevant and inapplicable.
Second, even if this law were being proposed in the USA, it’s still not a violation of the 4th Amendment, since that amendment only prohibits the *government* from searching you and your things without a warrant supported by probable cause. A private corporation searching your computer via spyware/DRM is not the government, hence the 4th Amendment does not apply.
It’s still a ridiculous breach of privacy and should be prosecuted under current computer intrusion laws (because let’s face it, if I installed spyware on *their* machines, they’d have a shrieking meltdown and press every chagre against me they could think of). The law is law and it should apply equally to everyone. If they think they have the right to hack into and spy on my computer than I should be able to do the same to them. If they think that should be prohibited and illegal, then they should go to jail for doing it to me.
it's a moral issue
Weren’t you arguing the other day that there wasn’t a moral argument about copyright ? I’d say you’ve found one. To my mind, it’s clearly immoral to mess with other people’s computers without their permission.