Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Spyware Control Act

By badly_annoyed in News
Mon Oct 16, 2000 at 10:54:50 AM EST
Tags: Politics (all tags)

There is a new law before Congress in the U.S. This article describes legislation that would prohibit software from transmitting information back to the vendor without the user's knowledge. If the vendor does sneak something past, you can sue for half a million. Ouch.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o This article
o Also by badly_annoyed

Display: Sort:
Spyware Control Act | 30 comments (17 topical, 13 editorial, 0 hidden)
Will never pass (1.92 / 14) (#1)
by Signal 11 on Thu Oct 12, 2000 at 05:15:31 PM EST

Our government? Protecting the rights of its citizens first, instead of looking for "economic prosperity"? Naah, I don't believe it. It'll never pass.

Society needs therapy. It's having
trouble accepting itself.

I like the idea of the law . . . (3.00 / 1) (#27)
by acceleriter on Sun Oct 15, 2000 at 12:39:04 AM EST

. . . but it seems to me that surreptitious transmission of information could have (and should have) been prosecuted using existing computer crime laws. I guess it's too late now to fine the crap out of Microsoft and Real Networks, so now we need a new law. I agree that it stands a snowball's chance--unless there are outs for corporate interests, and it becomes illegal only for small-fry to write software that calls home, while companies like MS and Real continue with impunity.

[ Parent ]
Something like this is totally a good thing (3.66 / 6) (#3)
by ramses0 on Thu Oct 12, 2000 at 05:16:14 PM EST

I'm not usually one for new laws (I'd just like to enforce the old ones), but this is a problem where there doesn't seem to be a real-world equivalent.

I'd guess that it's related to privacy, that when I invite you into my home, I don't explicitly give you permission to take pictures of everything and send them back to BaseHQ.

Can anybody think of an existing law, or precedent which could be enforced instead of enacting a new law? I'll give the first person who can come up with one a chocolate chip cookie!

[ rate all comments , for great justice | sell.com ]

Re: Something like this is totally a good thing (3.00 / 2) (#14)
by Ryan Koppenhaver on Fri Oct 13, 2000 at 12:37:08 AM EST

There's got to be something. If you give me that chocolate chip cookie, and conveniently forget to mention that it's laced with [unpleasant chemical], I'm sure I'd have a case against you. Hopefully that would extend from real world objects that don't work as advertized, to software with unexpected "features".

[ Parent ]
Re: Something like this is totally a good thing (3.00 / 1) (#26)
by Captain Derivative on Sun Oct 15, 2000 at 12:30:34 AM EST

I see one loophole with this law: End User License Agreements.

(buried somewhere in the twenty-seventh paragraph): "This program will at times collect information about usage of the Software and transmit it to SoftwareCreator. This information will be protected and only shared with specially selected corporate partners." Run that through a language obfuscator and legalizer, and viola, the user has given you permission to collect whatever information you want and sell it to "corporate partners" (read: people who give us money).

That being say, I like the idea of the law. I just see this as a easy way to circumvent this. Heck, in some EULAs I've seen statements that you give the software provider permission to spot-check your computer (electronically or physically) to make sure you aren't violating the agreement in any way. Even though the law might not end up doing much, it ought to be passed anyway, if nothing more than to provide a spirit-of-the-law sort of thing that privace advocates can point to later.

Hey! Why aren't you all dead yet?! Oh, that's right, it's only Tuesday. -- Zorak

[ Parent ]
big time exceptions in the proposed law. (3.83 / 6) (#6)
by tsiar on Thu Oct 12, 2000 at 06:00:33 PM EST

According to the linked article, there are exceptions in the law that say if the information is being gathered for tech support or to check if you are a registered user, a program can send your information without notifying you or giving you a choice.

I'll have to check the actual text of the bill, but with such exceptions, the proposed bill seems pretty worthless.

Re: big time exceptions in the proposed law. (3.33 / 3) (#7)
by tsiar on Thu Oct 12, 2000 at 06:15:04 PM EST

Here is a <a href="http://frwebgate.access.gpo.gov/cgi-bin/useftp.cgi?IPaddress="> link to the text of the bill.

Supposedly the exceptions only allow use of 'secretly' collected information if it's solely for tech support or registration purposes.

[ Parent ]

Re: big time exceptions in the proposed law. (3.66 / 3) (#8)
by tsiar on Thu Oct 12, 2000 at 06:19:12 PM EST

Here's the link to the text of the bill again. It looked fine in preview mode...oh well...

[ Parent ]
I'd still rather see a technical solution (4.00 / 3) (#9)
by pete on Thu Oct 12, 2000 at 07:35:59 PM EST

While privacy is a good thing, I still have a problem asking the federal government to police Internet activities. Just like I believe companies should find technical solutions to DoS attacks, I believe people should demand technical solutions to privacy violations. So, for example, you could have programs running in sandboxes or something similar that can alert you when they try to make an outbound network connection. (Just an example, I know it's not going to solve every one of these cases that's out there today.)

Using the government is always the brute force solution. You don't like something someone else is doing, get the government to get some guns and go take their stuff/put them in jail/whatever. Let's try to be creative first.


Why limit yourself to technical solutions?? (4.50 / 2) (#16)
by JB on Fri Oct 13, 2000 at 07:53:08 AM EST

Why limit yourself to a single approach to a complex problem? Technology can be good, but alone, it is not a solution to any of the pressing issues of the day. Like it or not, at some point you need to give your personal information to others. If they can do what ever they want with that information, you have no privacy. There are neat crypto systems that can help shield you from some prying eyes (and they should be used), but the social dimension is real. Laws are limited, and justice is rarely more than a rough approximation, but compare the relatively 'civilized' countries to places where there is no rule of law. Codes of conduct can be good.

[ Parent ]
Blah blah. (2.25 / 4) (#11)
by eann on Thu Oct 12, 2000 at 08:50:13 PM EST

Blah blah blah. Blah blah education is the key blah blah blah blah. Blah, blah blah open source, we wouldn't have to worry about it. Blah blah blah--blah blah, blah blah, blah blah blah.

One of my senators is on the Senate's Commerce, Science, and Transportation committee, to whom this bill has been referred, and the other one's up for re-election. I let them both know I think S. 3180 is a good idea. I urge other U.S. citizens to do the same.

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.

Bad and Wrong! (4.50 / 6) (#13)
by Ryan Koppenhaver on Fri Oct 13, 2000 at 12:28:19 AM EST

While I dislike spyware on general principle, I have to argue that overly onerous notification regulations such as this one are not the way to fight it.

      (1) IN GENERAL- Any computer software made available to the public, whether by sale or without charge, that includes a capability to collect information about the user of such computer software, the hardware on which such computer software is used, or the manner in which such computer software is used, and to disclose to such information to any person other than the user of such computer software, shall include--

        (A) a clear and conspicuous written notice, on the first electronic page of the instructions for the installation of such computer software, that such computer software includes such capability;

Standard warning label type deal. I can handle that, though I don't like how specific it is. What if I don't include electronic instructions for installation?

        (B) a description of the information subject to collection and the name and address of each person to whom such computer software will transmit or otherwise communicate such information; and

        (C) a clear and conspicuous written electronic notice, in a manner reasonably calculated to provide the user of such computer software with easily understood instructions on how to disable such capability without affecting the performance or operation of such computer software for the purposes for which such computer software was intended.

What if the software's purpose is to collect such information? I'm now legally required to provide instructions for the impossible?

      (2) ENABLEMENT OF CAPABILITY- A capability of computer software described in paragraph (1) may not be enabled unless the user of such computer software provides affirmative consent, in advance, to the enablement of the capability.

This is ambiguous. How do we define "consent"? With a click through EULA? Probably. Does running make when such notice is in the INSTALL file count? Probably not. This is, of course, a severe inconvenience to developers and users of Free software, where EULA's don't exist.

      (3) EXCEPTION- The requirements in paragraphs (1) and (2) shall not apply to any capability of computer software that is reasonably needed to--

        (A) determine whether or not the user is a licensed or authorized user of such computer software;

Henceforth, this shall be known as the "Microsoft Loophole"

        (B) provide, upon request of the user, technical support of the use of such computer software by the user; or

This is risky. Sure, You can't use this loophole to rip off my Social Security Number, all my Email, my PGP private key, or my secret pr0n stash, but there's still a lot of information that I'd like to keep private that might be considered "necessary to provide technical support". If you're going to require disclosure for everyone else, why not disclosure of what it's collecting for tech support, at the time that such support is required.

Look at Netscape's Quality Feedback Agent for a good example of a piece of software (voluntarily) doing this right.

        (C) enable an employer to monitor computer usage by its employees while such employees are within the scope of employment as authorized by applicable Federal, State, or local law.

I understand not allowing employees to disable monitoring software, but I think it's ridiculous to exempt employers from the notification requirement.

      [Snip sections 4 and 5: What they can do with the info they collect, and your right to access it.]

      (6) SECURITY OF INFORMATION COLLECTED THROUGH EXCEPTED CAPABILITY- Any person collecting information through a capability described in paragraph (1) shall establish and maintain reasonable procedures necessary to protect the security, confidentiality, and integrity of such information.

Hmm, "reasonable"... Dual rot13 on an unupdateded NT installation, anyone?

    (b) PREINSTALLATION- In the case of computer software described in subsection (a)(1) that is installed on a computer by someone other than the user of such computer software, whether through preinstallation by the provider of such computer or computer software, by installation by someone before delivery of such computer to the user, or otherwise, the notice and instructions under that subsection shall be provided in electronic form to the user before the first use of such computer software by the user.

This just adds to the "who's responsible" mess which I will cover in more detail below.

    (c) VIOLATIONS- A violation of subsection (a) or (b) shall be treated as an unfair or deceptive act or practice proscribed by section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

This seems as good a place as any to address the "who's responsible" issue. All the above rules take the form of "The software must...", and not "The Author of the software must..." or "The distributor of the software must..." or whatever. Now, IANAL, so perhaps there's some legal precedent or other to cover this, but here's a hypothetical situation: I write FooWare, and release it under the GPL. J. Random Hacker takes his copy of FooWare, adds a spyware-type module, and a couple of bells and whistles, and releases it as BarProgram. The source is available, but nobody bothers with it, they just grab the binaries from freedownloads.example.com.

So, when the truth about BarProgram comes out, who's in the hot seat? Is it me, the original author? Is it JRH, who wrote the spyware code? Or is it the download site, who were distributing it?


      (1) IN GENERAL- Notwithstanding any other provision of this section, a computer software provider that collects information about users of the computer software may disclose information about a user of the computer software--

        (A) to a law enforcement agency in response to a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, or a court order issued in accordance with paragraph (3); or

Well, at least they need a warrant.

        (B) in response to a court order in a civil proceeding granted upon a showing of compelling need for the information that cannot be accommodated by any other means if--

          (i) the user to whom the information relates is given reasonable notice by the person seeking the information of the court proceeding at which the order is requested; and

          (ii) the user is afforded a reasonable opportunity to appear and contest the issuance of the requested order or to narrow its scope.

Bah. Any jackass who wants to pester you with a nuisance lawsuit. can get a court order in a civil proceeding.

      [Snip the rest, mostly about how you can sue someone for violations.]

Bottom line: The solution to spyware is (1)Technical measures such as ZoneAlarm, (2) Open Source software, and (3) prosecuting purveyors of spyware under existing fraud laws. Additional government interference into what kind of software I can write and distribute is not.

Great analysis, but flaky conclusions (4.33 / 3) (#24)
by Paul Johnson on Sat Oct 14, 2000 at 07:58:56 AM EST

First, kudos for reading the law and presenting this analysis. This is the kind of discussion that K5 is good for.

Now to the meat. I think you may be misunderstanding a few bits of the bill, and failing to appreciate the context of others.

What if I don't include electronic instructions for installation?

This needs to be rephrased. The senator was obviously thinking of typical MS programs where you stuff in the CD and up pops an installation program. The intent is to stop people hiding the notice in the 15th paragraph of the EULA at the back of the handbook. I should think a README or INSTALL file would count as well. I find it hard to envisage modern software which does not include some kind of install script, unless it be a very early beta release or something very simple. But such software would not include spyware anyway.

I understand not allowing employees to disable monitoring software, but I think it's ridiculous to exempt employers from the notification requirement.

That is handled by separate law. This is a law about consumers vs suppliers rather than employers vs employees. It is right for this law to avoid the employment issue.

What if the software's purpose is to collect such information? I'm now legally required to provide instructions for the impossible?

Needs a bit of redrafting to define "purpose". The assumption is that the software has an explicit purpose (e.g. playing a movie) and a covert purpose (collecting viewer information), and the software must allow the user to disable the covert purpose but still function for the explicit purpose. As you say, this is a bit confused. The language should explicitly recognise that disabling the information gathering facility might impair the function of the software which is related to that information. Cookies are a typical example: if I disable cookies in Netscape then some websites won't work.

Come to think of it, the privacy issue of cookies and web site tracking in general is not handled at all. This seems to be a major weakness.

And so on. Exercise for the reader: redraft this bill to solve these problems.

You are lost in a twisty maze of little standards, all different.
[ Parent ]

Of course... (2.00 / 2) (#25)
by BonzoESC on Sat Oct 14, 2000 at 09:54:51 PM EST

This whole spyware deal could be solved by everyone relinquishing their closed source Windows, Gamespy, and Winamp for the open-source alternatives.

Unfortunately, since that will probably never happen, this law is a step in the right direction.


Normally, my sig is an image.

Open-Source Windows? Ouch... (none / 0) (#29)
by end0parasite on Mon Oct 16, 2000 at 11:17:02 PM EST

Think of how much trouble this would cause. Think about how much trouble open-source *nix kernels have caused. I'm talking about bug exploits; crackers would find hundreds the day Windows went open source and every PC would be getting cracked.

Although I would like to see the source code. :)

[ Parent ]
The Windows source code (none / 0) (#30)
by pin0cchio on Tue Oct 17, 2000 at 10:49:37 AM EST

Here's pseudocode of the Windows source code.

Seriously, there is a Free windows clone.

[ Parent ]
This is contol, not punishment (1.00 / 1) (#28)
by rednecktek on Mon Oct 16, 2000 at 12:56:54 PM EST

I haven't read the entire bill yet, but this appears to be legislation to "cap" the amount your privacy is worth, NOT to allow lawsuits for infringement of your privacy.

Just remember, if the world didn't suck, we'd all fall off.
Spyware Control Act | 30 comments (17 topical, 13 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!