California Sets Fines for Spyware 199
aj50 writes "The BBC has the story that California is introducing new laws to help eradicate spyware. The bill bans the installation of software that can be used to take over another computer and allows customers to seek $1000 in damages if they've fallen victim to this kind of malicious software. Can this really help cut down spyware or will it just be another fatally flawed piece of legislation?"
Yep, bad legistlation... or maybe it's the summary (Score:5, Funny)
Goodbye, SSH. I'll miss you.
Re:Yep, bad legistlation... or maybe it's the summ (Score:5, Funny)
Goodbye, Windows.
Re:Yep, bad legistlation... or maybe it's the summ (Score:5, Informative)
carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for
network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware,
authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in
connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter.
I skimmed through the bill text found here [ca.gov], and it seems fairly well worded. However, it doesn't solve the actual problem. An "authorized user" can still be suckered pretty much as before.
Kjella
Re:Yep, bad legistlation... or maybe it's the summ (Score:2, Funny)
Re:Yep, bad legistlation... or maybe it's the summ (Score:4, Interesting)
carrier, cable operator, computer hardware or software provider, or provider of information service
So
Re:Yep, bad legistlation... or maybe it's the summ (Score:2, Insightful)
The scary thing about that is pointed out in the post just below yours: one of the purposes for which basically any program is allowed to monitor you is "prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software." Say hello to a wave of RIAA-sponsored MP3-eating worms that
Re:Yep, bad legistlation... or maybe it's the summ (Score:2)
The way I read it is your ISP can monitor you for illegal activity, but a third party like the RIAA can't; of course if your file shareing with a P2P app, your announce your activity to the world in general, by using a program you installed with inf
software that can be used to take over another (Score:5, Interesting)
Unfortunately, I don't see how the ban on installation of software that can be used to take over another computer... can be enforced, without completely outlawing any software upgrade service. Maybe the law is better worded than the article, but from experience I have my doubts.
Re:Yep, bad legistlation... or maybe it's the summ (Score:2, Insightful)
Re:Yep, bad legistlation... or maybe it's the summ (Score:4, Interesting)
Ooh, ooh; spelling flame time ... (Score:2)
s/nyet/nye/g
While I don't consider myself fluent in Russian, even I was made uncomfortable by this one. It's a lot like if you were to say in English "Truth is no News, News is no Truth". A lot of native speakers would at first be puzzled at what you're trying to say. But if you had a strong enough accent, they'd probably figure it out.
(We have a cockatiel that my wife named Milo, "po-chemu on takaya milaya ptitsa."
Watch out for the loophole! (Score:5, Insightful)
Among other things, this bans unauthorized installation of keyloggers, spam sending/relaying software, zombies, and disabling your anti-virus or anti-spyware software.
However, and this is a big however, they grant a blanket exception to your ISP or network admins. "Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service for network or computer security purposes, diagnostics, technical support, repair, authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter."
You could probably drive a truck through a loophole like that.
Re:Watch out for the loophole! (Score:5, Insightful)
Good work people!
Re:Watch out for the loophole! (Score:5, Interesting)
Re:Watch out for the loophole! (Score:4, Insightful)
Re:Watch out for the loophole! (Score:2)
Can you say MPAA/RIAA?
Re:Watch out for the loophole! (Score:4, Funny)
I can't. I tried, It came out sounding like "um-pahh, ree-ahh." My family thought I was speaking in tongues.
Re:Watch out for the loophole! (Score:5, Interesting)
I think they just made it explicitly legal for the MPAA, RIAA, or BSA to install spyware on your computer to counter copyright infringment. What a shame, a rotten egg in a perfectly good law.
Re:Watch out for the loophole! (Score:3, Interesting)
You can drive a truck through that loophole.
"Nothing in this section shall apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service ... by a ... computer hardware or software provider, ... or detection or prevention of the unauthorized use or fradulent or other illegal activities in connection with a network, service, or computer software."
The part in bold essentially makes any spyware that is bundled by a software provider (Kazaa, GAIN, etc.) or hard
Re:Watch out for the loophole! (Score:5, Interesting)
Re:Watch out for the loophole! (Score:2)
If I had to guess, it is because someone wanted to get the law passed sometime this decade, so they watered it down. Apparently a little too much. =)
Re:Watch out for the loophole! (Score:3, Insightful)
Well, it looks like AOL is out of the red then. They can keep covertly installing WeatherBug and Viewpoint Media Player and adding bookmarks everywhere without users' consent.
Re:Watch out for the loophole! (Score:2)
DRM Truck? (Score:4, Informative)
"authorized updates of software or system firmware, authorized remote system management, or detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing software proscribed under this chapter"
This looks custom made for grievous EULAs for junk like Microsoft's Windows XP and Windows Media Player. Even the nasty Overpeer [slashdot.org] effort might be overlooked with an attitude like that. So the thing that is fundamentally wrong, doing things to other people's computers without asking them, is explicitly allowed if you are "authorized".
Another section defines "authorized user" and expressly prohibits EULAs as a vehicle:
22947.1.(b) "Authorized user," with respect to a computer, means a person who owns or is authorized by the owner or lessee to use the computer. An "authorized user" does not include a person or entity that has obtained authorization to use the computer solely through the use of an end user license agreement."
The contradiction is clear, how it will play out is not. If I click through Microsoft's Windows updater, have I signed onto having my computer monitored for copyright infringing works? What are security purposes? Microsoft's EULAs clearly grant them power to do these things and exercising those powers is a violation. We will see if some companies are allowed to violate this law while others are punished.
Re:Watch out for the loophole! (Score:2)
Checklist (Score:3, Funny)
"One form of spyware called adware has the ability to collect information on a computer user's web-surfing.
It can result in people being bombarded with pop-up ads that are hard to close."
Lesse. Arnold Schwarzenegger. Check. Hackers as evil villians. Check. Mixing javascript pop-up ads and Malware. Check.
"Can this really help cut down spyware or will it just be another fatally flawed piece of legislation?"
I dunno, what do you think?
Re:Checklist (Score:2)
spyware (Score:2, Insightful)
Unfortunatly the average computer user doesnt know this
Re:spyware (Score:2)
Microsoft Windows is the biggest nuisance and securuity thread facing PC users in the coming year.
Thankyou I'll be here all week.
Money not worth the effort. (Score:5, Insightful)
But that won't happen because they don't really give a shit about "consumers" as long as they continue to consume. When we consume we fulfill our political function.
Re:Money not worth the effort. (Score:2)
Make Money Fast (Score:2)
Are you kidding me? Take a brand new computer, and go out there and install all kinds of software which has this junk in it which, naturally, is illegal as of today. Find all instances of said software which violates this law. Contact your lawyer on Monday and start collecting in small claims court. $1000 for each spyw
Re:Money not worth the effort. (Score:2)
How Gen-X of you. Who is the "they" of which you speak? Some secret cabal of billionaires? If the "they" is the California legislature, why would they enact the law if they didn't give a shit? The CA spam law is actually pretty good, read it sometime (CA Business & Professions 17529 et seq.), the legislature did their homework pretty well. I am finding it quite useful :)
In other news... (Score:2)
When your not consuming
You're supporting COMMUNISM.
Like its predecessor [terrorgruppe.com], it had a devilish looking man and a hammer and sickle.
Well by definitions is where it might fail? (Score:5, Insightful)
Spyware does not have to take control of a computer.
It can be as simple as sending back browsing habits so cookies can, even, be not so far away from some spyware then,
Or it can just send credit card details or other browsing habits or snoop in places it shouldnt. All without "taking control" of another computer.
The devil is in the details. I would like to see what kind of software it really is defining as spyware.
Great Macintosh Support [tribbles.org]
Re:Well by definitions is where it might fail? (Score:2)
A good working definition for me of spy/malware is: any software which is installed without the user's knowledge and/or consent, and once installed, actively resists being uninstalled.
This may not define all types of spyware, but anything meeting these criteria is most likely spyware. At least I can't think of anything that matches this description, but which is not spyware.
Re:Well by definitions is where it might fail? (Score:2)
Re:Well by definitions is where it might fail? (Score:2)
On what, Windows 95? Nowadays, IE is installed whether you like it or not. All that tick box determines is whether or not Windows makes shortcuts to it.
Re:Well by definitions is where it might fail? (Score:3, Interesting)
Plus he didn't even read the article. He wrote: "Spyware does not have to take control of a computer.
It can be as simple as sending back browsing habits so cookies can, even, be not so far away from some spyware"
But the law disallows such actions.
Re:Well by definitions is where it might fail? (Score:2)
Or it can just send credit card details or other browsing habits or snoop in places it shouldnt. All without "taking control" of another computer.
Without taking control? Did the user send in their personal records and browsing habits voluntarily?
Your scope is out of whack. Those things are called "taking control." You're talking about "taking complete control." A court would know the diffe
Seek damages... from whom? (Score:4, Interesting)
Regardless of how you feel the question should be answered, will that be a choice?
Re:Seek damages... from whom? (Score:2)
> will that be a choice?
Well obviously not as it doesnt matter how secure your operating system malware spyware will still get. It does that in all computers just depends on whether the user is tricked into installing it or not. And tricking users, is easy.
Great Macintosh Support [tribbles.org]
Re:Seek damages... from whom? (Score:2)
He got "MidAddle", just by surfing the web. See:
http://www.angelfire.com/un/midaddle/
If I hit you with a rock do you sue the universe? (Score:3, Insightful)
Obvious (Score:4, Informative)
The law, if it affects any spyware company, will only affect those who are incorporated and/or exist in the USA.
Re:Obvious (Score:2)
Re:Obvious (Score:2)
It's an interesting thought, but I think you could get very far into extraterritoriality and the like.
Think of the case with Yahoo and their auctions. France decreed it was everyone's job to make
Yes! (Score:5, Interesting)
Re:Yes! (Score:2, Insightful)
This cracks me up. If I steal a car, and the brakes don't work, so I get to sue the guy who made the car ?. Crime or no crime, you are D/L'ing a file "illegally", and you want to complain when it messes up your computer ?
Re:Yes! (Score:3, Insightful)
Re:Yes! (Score:2)
If you steal a loaf of bread and the grocery store manager shoots you in the back with a 12 gauge as you run away, the grocery store manager goes to jail.
Re:Yes! (Score:2)
Re:Yes! (Score:2)
1. You are using more force than necessary. Setting a trap that has every intention of killing someone.
2. You are endangering innocents. For the brakes, it's whoever else may be hit by that out of control car. For a booby-trap it might be the fireman who may enter through that window in an emergency.
3. You have clearly committed either a gross midemeanor or an actual felony before the other cr
**AA affected? (Score:3, Interesting)
Re:**AA affected? (Score:2)
Huh? (Score:5, Insightful)
Did they use the right language to be effective? (Score:5, Insightful)
I'm really concerned about this type of language. The effectiveness of this really comes down to "How do you define 'takes control'?" Snooping where you go in the Internet is not "taking control". I don't even know that pop-up advertisements can really be called "taking control" since I have ultimate control over the power button as well as the network plug in the back of the computer. Even if there is spyware installed, I have control over installing another browser or installing spyware removal software. VNC, PC Anywhere, and other such tools are meant to truly "take control" of a system, but they're obviously not spyware. I'm also concerned about spyware being used at the threat. I would think that viruses and spambots would me the obvious targets, but do they "take control" or do they just "steal CPU cycles"?
The article didn't go into great detail on this particular matter. How can one really define "taking control" if something ever goes to court on this? Or is it possible that this was just a bad choice of words on BBC's part?
Re:Did they use the right language to be effective (Score:4, Informative)
Re:Did they use the right language to be effective (Score:2)
I still see this as a problem, though. Even if the company is a U.S. company who is found guilty of this, if they're not based in California does California have the right to extradite? Well, now wait a minute! That then involves interstate network traffic which puts it under FEDERAL control, and the jackasses in Washington would never make a law similar to thi
Re:Did they use the right language to be effective (Score:2)
However, #4 is truly the interesting one. This is the supposed spyware one, but doesn't apply to any known spyware. This looks more like its against pagejacking, which doesn't require any software installed at all; simple JavaScript will suffice. At its best, it could be used against some really obnoxious adware, but not spyware.
I don't see anything here that ha
Actually (Score:2, Insightful)
Let's face it, we all know some idiot users out there who do things that are just dumb (like clicking on that "Yes" button for GATOR's new and improved super-duper piece of $#!+). With that installation comes a whole host of things but the user did knowingly and willingly click on that "yes".
Now normally I'd say that this doesn't const
Payback Time! (Score:3, Insightful)
RIAA/MPAA contractors using spyware. [slashdot.org]
Slashdot moderators - cite the bill (Score:3, Insightful)
Group Fights Back (Score:4, Informative)
Recent Prop. In Cali has limited the rights of private laywers to act on the public behalf which also makes it hard for a single laywer to fight for a group of people.
The only way to really fight this type of spyware, ASSUMING there is someone with some deep pockets would be a class action, which is difficult to put together. You need to certify the class, then go to court to fight the 'bad guys.'
Re:Group Fights Back (Score:2, Interesting)
$1000 would allow action to be taken against the perpetrators in small claims court where only a subpoena needs to be served and criminal intent doesn't need to be proven.
You need to certify the class, then go to court to fight the 'bad guys.'
If and when a small number of individuals win in small claims court it may set the groundwork for a precedent to be set
Re:Group Fights Back (Score:5, Interesting)
Fines for the RIAA? (Score:2, Redundant)
The Bill (Score:2, Informative)
The bill also outlines many cases in which damages may be recovered. The $1000 damages that may be recovered refer to violations of section 22947.2 which defines how spyware
A thought (Score:4, Interesting)
Plan for world domination (Score:4, Funny)
2. Intentionally get infected with spyware.
3. Profit!
Re:Plan for world domination (Score:2, Funny)
Listen up Californians - how to get rich (Score:4, Funny)
2. Run it on all your PC's. Statistically each PC will have on average 28 pieces of spyware on it.
3. DO NOT FIX THE PROBLEMS!!! They are now evidence!
4. Carefully research each piece of spyware found by Spybot to see if you can sue the makers for $1000 each.
5. If you find anything, call your lawyer.
6. Profit!
Re:Listen up Californians - how to get rich (Score:2)
C//
Re:Listen up Californians - how to get rich (Score:2)
Waste of time (Score:2)
No... Ok, maybe. (Score:4, Interesting)
For other things which piggy-back on other programs this seems to be the only feasible way. Since it technically gets installed by hand there's really no hole to plug.
As much as virii and spyware (malware in general) is a problem there should be a clear distinction between what can be penalized and what can't. Things that prey on the gullibility of users should definitely be outlawed like any other con artist's scam. Things that have technical solutions should really rely on technical solutions. Don't fall into the habit of thinking that a strong law will plug your security holes for you.
If squirrels are getting into your birdfeeders don't advocate municipal squirrel destruction, buy a birdfeeder with a squirrel guard. (If you want to shoot the squirrels anyway that's your own prerogative.)
What it means (Score:2, Insightful)
Laws are NOT the way to deal with much of this (Score:2)
That's why I love FOSS. Better control. That's why windows and IE have issues - little user control. The soloution to a lot of the mess out there is to give users better control of their system. It's firefox vs IE that best illustrates the concept. Firefox will be a runaway success in 2005.
Giving the user better control als
Re:Laws are NOT the way to deal with much of this (Score:2)
You need to be able to control what rights a piece of software has -- and that has always been one of *nix's strong suits.
*nix is getting there, but it hasn't always been there. Unix permissions are traditionally based on a per-user basis. What is really needed is a way to have per program permissions. Yes, I suppose you could setuid everything, but that's kind of kludgy. Most of the rest is available, you can set up a firewall to only give certain users access to certain ports, but even this isn't r
Re:Laws are NOT the way to deal with much of this (Score:2)
Firefox allows the user to have far greater control over how web content is presented and what web content is presented. It also doesn't allow for unannounced installation of software. It gives the user far better control than does IE. Windows gives the user some control,
From California? (Score:2)
Must be a new year's day prank.
Penelty for spyware! (Score:2, Funny)
Claria supports it - that means it's a crap law. (Score:2)
From the marketing scum themselves: clickz.com [clickz.com]
They're trying to convince us that adware is ok, but spyware isn't. How much do y'all want to bet that we see more "adware" companies popping up now?
so i wonder if... (Score:2, Interesting)
Law can be fixed over time (Score:2, Insightful)
However, most state legislatures have a few members on a clean up committee, usually called something like a "Legislative Review Committee," to recommend changes to existing law.
I strongly recommend you find out who they are for CA and encourage Slashdotters to lobby them.
Mandatory installation information (Score:2)
Uninstall information must be provided at the point of installation. This can be on the packaging of boxed software, or there must be a pointer to an uninstall file, giving its name and location, at the point of install. The uninstall information must be retained on the computer after the installation process.
No software whatever may install itself wi
A service business model? (Score:2)
But a business organization could amass that kind of knowledge and provide that as a service. You bring in your infected PC, they ID spyware, produce evidence, and you sign over 90% of your bennies to them. They then collect bulk judgeme
It's like obscenity laws. (Score:2, Interesting)
There's a big difference between services that COULD be exploited (SSH, AD, VNC), data-miners or adbots (Claria, MyWebSearch) and the real nasties.
Think CoolWebSearch *spit!*, VX2/NicTech and SecondThought. Each of those is considered malicious software in addition to spyware/adware because they install via exploits and use backdoor access to generate revenue.
S
Now Adaware and Spybot can finally get paid (Score:2, Interesting)
Ridiculous law... (Score:2)
As has been explained by the posts above, any bill outlawing spyware suffers from at least one of two fundamental flaws:
Ho Hum (Score:2, Interesting)
Hmm, sounds like the Junk Fax Law (Score:3, Interesting)
This may not work as well for malware, as many of the creators are not only NOT in California, they're not even in the USA.
Re:huh? (Score:2)
Re:huh? (Score:2)
Real VNC Wont Qualify (Score:4, Insightful)
If theywere to honestly go after something like that, which has the users permission... then even microsoft would be toast.. ever hear of SMS, or even AD? It's all about 'remote control'...
Nah, VNC and related software is safe.. Now if people USE it improperly.. They could be fined, but they would have committed other crimes in the process anyway...
Re:Cookies (Score:2, Funny)
Given that most dollars only cost $1, I don't think you'll have any success in finding a $1000 dollar. If you do find a dollar worth $1000, let me know -- I'd love to cash those in!
Re:Cookies (Score:2)
Re:Cookies (Score:2)
maybe a year or two ago, but the canadian dollar will be worth more than the US Dollar if things continue the way they have been as of late.
most canadian online businesses are already looking to switch their billing companies to ones that support 'anything but the USD' because the conversion (or lack thereof) is killing us.
we used to get almost $1.50 CDN for every USD about a year ago, now it's almost 1:1...ridiculous.
the US economy is in the toilet and just getting worse by the day.
Re:Cookies (Score:2)
Re:Flawed (Score:2)