Predictions

by Mike Masnick




Would An Anti-Spyware Law Do More Harm Than Good?

from the if-past-experience-is-any-indication... dept

Some folks in Congress have been pushing for anti-spyware laws for a few years now without much luck. It seems to get through the House and then get shot down in the Senate. Once again, a bill has sailed through the House, and the backers are hopefully it will get Senate approval this time around. However, the bigger question is whether such a law would actually help or hurt. There are a number of reasons to think that it would do more harm than good. First, any bill needs to "define" spyware -- which is always a bit problematic. It can be even more problematic because everyone is confused over the name "spyware" which focuses on the spying part. The thing that is most annoying about most of these apps isn't the "spying" but the surreptitious installs. Also, if the CAN SPAM law is any indication of how this works, it's unlikely to help at all. In fact, all it really does is better define what you need to do to make "legal" spyware. That could make the problem much worse as companies figure out ways to obey the letter of the law, while violating the spirit of it. At the same time, it's not clear that this law is even needed. As we've seen recently, folks like the FTC and New York's Attorney General have been getting aggressive in going after the worst offenders with existing laws already in place. While we're sure that the backers of this anti-spyware bill have the best of intentions, the end result is unlikely to be helpful, and could actually be quite harmful.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    claire rand, 16 Mar 2007 @ 12:58am

    kinda like spam

    there is a plus side to all this though, if companies obey the 'letter of the law', like some of the spam idiots have it makes finding things easy.

    Especially if such programs end up containing a reference to the legislation that 'proves they are not spyware' somewhere, since it can't be too hard to look for that, and sort of filter out the programs from installing. should at least cut down *some* of this stuff, frankly any reduction is probably a good thing.

    all the law *must* do is make sure that the computers owners right to decide what is and is not installed is held to be paramount, thus avoiding license agreements that claim 'uninstalling is a violation' being enforced anywhere.

    given the way courts have handled attempts to have anti-spam programs banned or restricted I can see this going the right way however, especially with a judge who has ever suffered from a popup.

    defining spyware/malware is easy (on a personal level) its "something I don't want", the easy way is to legislate that a program must make its functions visible, non of this hidden crap, and everything *must* have a working un-install.

    of course nothing is going to stop all the overseas rubbish, but as I say, if it cuts down even 5% of this rubbish it may be worth doing.

    oh yes, and include penalties that allow your courts to go after the people benefitting from all this if they are in the states as well please, to avoid the problem being offshored while all the data flows home.

    reply to this | link to this | view in chronology ]

    • identicon
      Programming_3PO, 16 Mar 2007 @ 4:08am

      Re: kinda like spam

      "the easy way is to legislate that a program must make its functions visible, non of this hidden crap"

      Unfortunately, you've just legislated away any background service running on any operating system. Do you think the average user knows how to manually set up a network connection, or would they rather just plug the computer into "that box I was told to attach it to". It's hidden background services that make that possible.

      A working uninstall, that doesn't need to hit the internet to remove the application, would be welcome, and easy to do as well.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Mar 2007 @ 7:28am

        Re: Re: kinda like spam

        not really, making a function 'visible' means it appearing in task lists, not masking its name or using stealth to hide.

        it doesn't mean it has to scream that its running, but if you look it must be there.

        also the fact it will be running gets listed in the install.

        as an aside i'd love for microsoft to 'sign' everything that comes with windows, so task mamanger can show me whats running that *didn't* come as part of the os. ala all the pre installed crapware

        reply to this | link to this | view in chronology ]

        • identicon
          Enrico Suarve, 16 Mar 2007 @ 8:45am

          Re: Re: Re: kinda like spam

          I don't see how being visible in the task manager is going to help that much - sure I know *you* know how to check this and look for bad stuff, but your average user isn't going to be able to. If you aren't carefull, by stating that spyware is all software that display itself you legitimise the pieces that do (and I bet a load would start to show themselves so they are able to declare legally they aren't spyware)

          I too would love MS to sign stuff and have often thought the same thing, but the problem is that if they do this you let your guard down, once that happens all the bad guys have to do is figure out how to hack the signing process (not so hard given folks already hacked out the protection for Vista), and suddenly people start ignoring that nasty program cos its part of windows....

          Don't get me wrong - I would love to do something about spyware, something that would really hurt the creators (I work in end user IT security). I just don't think that this approach is the way

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 16 Mar 2007 @ 5:22pm

            Re: Re: Re: Re: kinda like spam

            thinking of it, i'd hav been happy with a list of what actually is on the windows discs, so its possible to see what 'could' be running, oh the md5's for the processes and what they do would be nice. matter less now that google can o some of this. ironic google helping microsoft but there you go.

            reply to this | link to this | view in chronology ]

  • identicon
    Peter Rock, 16 Mar 2007 @ 1:12am

    Law?

    Why bother? If you want the best defense against spyware, just use free (as in speech) software.

    reply to this | link to this | view in chronology ]

  • identicon
    Micheal Rossiter, 16 Mar 2007 @ 1:44am

    Spyware

    Surely the easiest way is to simply BAN all third-party installs when software is installed.

    Then when you start the app for the first time it asks you to MANUALLY install the spyware/adware app warning you the product is advert supported and offering you an uninstall for the main app if you didn't realize this when you got the program.

    With such a warning ALL non-user chosen apps would instantly be breaking the law if they install advertising/spyware without having the user MANUALLY double click an EXE to install.

    The other cool thing would be a STANDARDIZED and short spoken AND text warning such as:

    "THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE"

    reply to this | link to this | view in chronology ]

  • identicon
    ALOK TIWARI, 16 Mar 2007 @ 3:24am

    this site is great i like it very much.

    reply to this | link to this | view in chronology ]

  • identicon
    security, 16 Mar 2007 @ 5:16am

    Up to $3 Million in Fines Per Violation

    Someone would have to OPT-IN for the following:

    The bill also would prohibit surreptitious keystroke logging, browser hijacking and the unauthorized removal or disabling of security software installed on a computer. Violators would face civil penalties of up to $3 million per violation.


    Perhaps it is the amount of the potential penalties that may be one factor. Also, many of these malware attacks are not in the USA and may not be practical to litigate.

    reply to this | link to this | view in chronology ]

  • identicon
    jonathan, 16 Mar 2007 @ 5:40am

    anti spyware law

    one was allready passed in 2004 a lot of good that one did it afected olny two compainies I know of.

    reply to this | link to this | view in chronology ]

  • identicon
    John, 16 Mar 2007 @ 6:17am

    highly ill conceived

    Any attempt at this will create a frivolous lawsuit magnet.

    I hate spam as much as anyone, but I'd rather rely on my gmail spam filter and spf records than create new laws.

    reply to this | link to this | view in chronology ]

    • identicon
      Gary, 16 Mar 2007 @ 6:39am

      Re: highly ill conceived

      I completely agree. This is just anoter one of thousands of laws "meant" to protect us but we aren't all complete idiots. Some of us can actuially function on a daily basis without these laws. Wow, could that be possible?

      reply to this | link to this | view in chronology ]

  • identicon
    Overcast, 16 Mar 2007 @ 6:21am

    Why do the 'legal' types never stop whining about spam? I swear - every place I've ever worked in it, the legal departments cry, complain, and bitch more about spam than anyone.

    Guess it makes sense they would want a 'law' against it.

    So ok - yeah, ummm... go prosecute some guy in China that's sending email spam through some small US company's exchange 5.5 server with an open relay.

    Most spammers already go to lengths to avoid blacklists and such as are already adept at dodging the 'system'.

    reply to this | link to this | view in chronology ]

  • identicon
    Fred Flint, 16 Mar 2007 @ 6:24am

    What About Micro$oft?

    Everyone seems to forget that Micro$oft is the company that does the most "hidden installs" and changes to people's computers. Do they spy on you?

    Well, figure out why they only provide half a firewall! It blocks "incoming" but ignores "outgoing", like spyware, Duh!

    Micro$oft will never allow such a law.

    reply to this | link to this | view in chronology ]

  • identicon
    Enrico Suarve, 16 Mar 2007 @ 6:36am

    Arguing Black is White...

    There's lots of good ideas in the other posts but I've met people (and worked with them) who could rip most of them apart easily, install spyware on your machine and still be able to obey the letter of the law as Mike says

    We have two problems here:

    1) Make the law too defined and you are going to cut out legitimate business and technology models
    2) Make it too loose and its going to be easy to work around and effectively legalise some spyware

    Sorry to do this but for example - taking apart some of the arguments already presented

    all the law *must* do is make sure that the computers owners right to decide what is and is not installed is held to be paramount
    A lot of spyware already is installed specifically by users who simply don't understand that "In order to work properly this software will send information to...." = spyware

    the easy way is to legislate that a program must make its functions visible, non of this hidden crap,
    Define hidden - there's a lot of modules legitimate programs install that they don't specifically tell you about (most users wouldn't understand what they are anyway) I'll just put my spyware in the 'automatically download security updates' module then - you're bound to want that

    everything *must* have a working un-install.
    I agree but define working - I'd write something which uninstalled itself fully on demand, but would not reverse configuration changes made to the OS itself on install which made you more vulnerable to direct attack, since I "can't" reverse these changes as I have no way of knowing if other programs rely on them now. Obviously I'd exploit your vulnerability from my overseas company

    if it cuts down even 5% of this rubbish it may be worth doing.
    But if it potentially legalises 10%.....

    include penalties that allow your courts to go after the people benefiting from all this if they are in the states as well please
    YES - definitely agree with you there that this is the way ahead - but this is another story

    surely the easiest way is to simply BAN all third-party installs when software is installed.
    That would make programs which download 3rd party drivers, java, activex etc potentially illegal

    Then when you start the app for the first time it asks you to MANUALLY install the spyware/adware app warning you the product is advert supported and offering you an uninstall for the main app if you didn't realize this when you got the program. THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE

    This may be the best suggestion to it all but the basic underlying problem is that this is already done for a lot of the stuff out there (emoticons used to do this a lot - don't know if they still do this) but the warnings are hidden in the ultra wordy EULA and even then people (my kids included) don't know what this means so click any way.

    The problem is that all of these suggestions (and some of them are good) in the end rely on users understanding the issues involved and my experience is often they don't - nor should they have to

    Passing laws like this that attempt to define are dangerous as they open loopholes and give a patina of legality to software which narrowly gets around them

    Although I appreciate the attempt by Congress to do something, this may be misguided (although a vast improvement on attempts in other areas)

    Finally (if you have read this far) if you do pass these laws and they do work, the adware manufacturers will all move to China....

    Stick to fining the companies being advertised - it's more straightforward, does not risk legalising some spyware and should work, when going after an army its usually best to strangle the supply lines than face them head on....

    reply to this | link to this | view in chronology ]

  • identicon
    Peter Rock, 16 Mar 2007 @ 6:52am

    The Best Suggestion?

    Enrico comments:

    "THIS SOFTWARE IS SUPPORTED BY ADVERTISING AND MAY COLLECT PERSONAL DATA, IF YOU DO NOT WISH THIS TO HAPPEN DO NOT USE THIS SOFTWARE

    This may be the best suggestion to it all [...]
    "


    Umm...or, you could just use free (as in speech) software.

    reply to this | link to this | view in chronology ]

    • identicon
      Enrico Suarve, 16 Mar 2007 @ 7:23am

      Re: The Best Suggestion?

      Actually I was quoting another post for the bit but fair enough since you've mentioned it twice i'll bite...

      Umm...or, you could just use free (as in speech) software.

      Define 'free (as in speech) software' what exactly is this? ARe we talking open source software? And if so how exactly does this help reduce spyware? (other than open source spyware filters obviously)

      reply to this | link to this | view in chronology ]

  • identicon
    Wizard Prang, 16 Mar 2007 @ 7:54am

    Why a law won't work

    1) It only applies to advertisers within the US...

    2) ...that you can catch...

    3) ...that will actually care about a law that stands between them and making a buck.

    Personally I am of the opinion that the only thing that would affect a spyware/spammer (they both have the same mentality) is to make them bear the cost in some way.

    When net vigilantes signed Alan Ralsky up for thousands of catalogs, he saw it as "harassment", but refuses to understand that this highly analogous to the harassment that he causes others.

    Another way might be for major corporations to sue them for cleanup costs.

    reply to this | link to this | view in chronology ]

  • identicon
    Peter Rock, 16 Mar 2007 @ 8:47am

    the best defense

    Enrico asks:

    "how exactly does [free software] help reduce spyware?"

    Enrico, I decided to answer that question in full here. You also asked for a definition of "free software" which is provided in links on that post.

    Hope that helps.

    reply to this | link to this | view in chronology ]

  • identicon
    Enrico Suarve, 16 Mar 2007 @ 9:17am

    Sorry - heavy workload

    The line I typed above makes no sense - it should be

    by stating that spyware is all software that DOESN'T display itself you legitimise ALL the pieces OF SOFTWARE that do

    Sorry

    reply to this | link to this | view in chronology ]

  • identicon
    rstr5105, 16 Mar 2007 @ 9:40am

    Or we could

    Or we could simply require everyone buying a internet connection take a small test. This test would include things like plugging the computer into the modem/wall jack (for those people still stuck on 56k.) Basic internet security (Firewall, spybot, adaware, antivirus software) and anybody who failed to pass with at least (roughly) a 95% is simply refused. The correct answers would not be given after the test and in order to get said internet connection the person who was attempting to purchase it would go to a free internet security seminar(Discussing the above mentioned internet security tools)and would have said test re-administered.

    We don't need to legislate, we need to educate.

    Rstr

    reply to this | link to this | view in chronology ]

    • identicon
      Enrico Suarve, 16 Mar 2007 @ 9:57am

      Re: Or we could

      Nice idea but a little arrogant maybe? Just because computers are something you use and understand doesn't mean they are something that everyone will or should (at least not to the depth required to counter spyware which is often far from basic)

      This even leaves out the fact that a lot of spyware installs without the users consent in any manner using backdoors

      Do you have a full in depth understanding of everything you use? Everything?

      Why should computers be treated any different?

      reply to this | link to this | view in chronology ]

    • identicon
      Walter Dnes, 17 Mar 2007 @ 12:03am

      Re: Or we could

      Re: Comment 20 by rstr5105

      > spybot, adaware, antivirus software [...yada, yada, yada...]

      What about those of us who have the intelligence choose an OS and browser that don't run Active-X drive-by-downloads? There are some OS's where there *IS* a difference between *OPENING* an attachment versus *EXECUTING* that same attachment.

      A firewall is still a good idea, but howsabout testing on the actual computer the user will be using.

      reply to this | link to this | view in chronology ]

  • identicon
    Peter Rock, 16 Mar 2007 @ 9:49am

    Enrico asks:

    "how exactly does [free software] help reduce spyware?"

    This is an important question. I answer that here.

    reply to this | link to this | view in chronology ]

  • identicon
    rstr5105, 16 Mar 2007 @ 11:17am

    re enrico

    I don't have FULL depth understanding of everything I use, But I won't use something until I have more of an idea than, push this button to turn it on.

    Basic malware scans and internet security should be a MUST for everyone.

    I'm not saying it will eliminate the problem, and maybe it is just a bit arrogant, but it will help.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.