Iowa Senate Proposes Making Spyware A Crime

Cooked Chicken writes "Iowa State Senator Keith Kreiman (D) is proposing Senate File 2200, an act making the distribution of Spyware without notice an aggravated misdemeanor, punishable by confinement for no more than two years and a fine of at least $500 but not more than $5,000. The proposed bill also provides victims and county attorneys with the ability to file a civil cause of action for relief from conduct constituting the crime of unauthorized collection and disclosure of personal information by computer."

I'm all for it.

It's illegal to personally use someone's machine without their consent. It doesn't take a huge jump of logic to see that launching a program to use their machine without their consent should be illegal as well.

Re:I'm all for it.

Agreed, but don't those asinine EULAs apparently cover everything? I mean, even one of Microsoft's says that you give them permission to remotely login and change anything anytime for any reason (if I remember correctly).

Re:I'm all for it.

Section 3a allows software programs to determine whether the user is licensed or authorized to use them (i.e. collecting information is not the main purpose of the program)

Section 3b allows software for technical support purposes on the user's request.

How does this "allow most spyware as legal?" The infamous gator, for example, is neither.

Penalties

In my humble opinion, those penalties are only remotely strict enough if they are assessed per instance installed. Otherwise, even the maximum fine of $5000 is a drop in the bucket for most adware/spyware perpetrators.

I am skeptical

This is a step in the right direction. We need this type of legislation ASAP. However, I should point out:

This bill establishes a criminal offense of unauthorized collection and disclosure

The problem is that much spyware explicitly tells the user what it is going to do: in the EULA. But how many users read the EULAs? How many people understand them? As a computer repairman for lots of moms, granny's, and kids, I can tell you that these people won't read the licenses even if I explain to them the importance.

the crime...by making available or providing access to computer software or an interactive computer service that collects identifying personal information and discloses such identifying personal information to persons other than the user without first giving the user notice.

Some interesting stuff

• It's legal if you disclose it in the EULA
• Making the software available is the crime: So hosting providers better watch out.
• Malware and adware are still okay
• "anonymous" usage info is still okay.

We privacy freaks now understand that "anonymous" usage information tied to "unidentifyable" facts like my sex, birthdate, and zip-code are sufficient to identify me when partnered with other databases.

Re:I am skeptical

RTFA.

Birthdate and zipcode are both explicitly considered as identifying information under this bill.

About time the Iowa Democrats did something useful

While they're at it, they could make identity theft a capital crime, raise speed limits on rural roads, and skip raising the sales tax.

Is it solving the underlying problem of spyware?

To paraphrase, the bill defines spyware as programs that send "Identifying personal information" without user knowledge or consent. It has a list of obvious exceptions, what's left is spyware.

a. "Identifying personal information" means ...
the following:
(1) Name.
(2) Address, including the street name or name of city or town.
(5) Social security number.
(8) Any other information identifying an individual.
(I cut some stuff out, but you get the idea.)

Do we hate spyware because it sends out this kind of information, or do we hate it because it runs in the background, shows pop-ups, and makes the computer unstable?
I don't have a problem with the bill, but I don't think it target's the underlying problem of nearly self-installing crap-ware.

btw, my computer's always 100% spyware free, it's my parents' computer that's beyond redemption.

Sangloth
I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.

Bad Law

If you have too many laws for the Internet, you'll stiffle its development and waste a needless amount of society's resources.

People will be more apprehensive about developing new ideas for fear of lawsuits and others will spend enormous amounts on litigation.

And even if that's not true.

How could you write such a law. Spyware? What's that? If Microsoft polls your computer for update requirements, would that not constitute a violation of such a law? If so Microsoft will amend its license agreement to compel a user to allow such Spyware. People who write programs will draft similar licenses, then they'll be lawyers, and endless amounts of everybody's time and energy.

I would much prefer a technical solution at the user end, it's cheaper and more elegant.

Re:Bad Law

It's illegal to use another person's equipment in a way that they don't approve of, why not another person's computer? Does it matter if your mechanic hands you a stack of papers that says, somewhere on page 25b, that your car will be used every tuesday by Stop and Shop? It's still flagrantly illegal. Windows update is understandable behavior for an operating system, whereas if Internet Explorer sent your surfing habits back to Microsoft it wouldn't be.

I'm all for technological solutions, but if I'm going to be legally banned from flamethrowing someone's servers I want some degree of protection in return. Malware is any software that performs activities significantly differently than those it presents to the user for the purpose of doing something the user probably wouldn't approve of. If someone releases a program to stop pop-up advertising, and it turns out to also replace every icon on the desktop with a link to an AOL signup page, I want justice.

The first thing that needs to be done is, of course, throwing out EULA's. EULA's are not a product of necessity for the internet age, but rather an old leech in new clothing. There are widely accepted practices for software usage and sales, and those should be considered the standard.

Everyone knows what "Spyware" is, the same way that everyone knows what "Sexual relations" means. Just because some lawyer may try to make it meaningless by envoking a draconian definition doesn't make it any less meaningful to the person on the street.

Think about it....

The problem is that in the EULA of the program it usually says something about you permiting the company to run the spyware. We don't need laws about this, just more competent computer users.

Re:Think about it....

Even if it's printed in the EULA, it would be nice if the installer would inform you of exactly what program(s) was being installed, and that the spyware's uninstaller worked and removed it. We've seen numerous cases of spyware programs getting installed behind-the-scenes that don't have valid uninstallers to go with them.

And I'm not just talking about uninstallers for the spyware -- if I install a program that has a tagalong app bundled with it, I expect the original program to have uninstall options for those tagalong apps as well. Otherwise, it's a form of electronic littering.

It's Nice

It's nice that some state governments are willing to look after their constituents. It's just too bad that the US federal government (and most other governments worldwide) are unwilling to take such measures.

The history classes I've taken seem to suggest a time when western governments actually worked for their citizens, rather than against them. It would sure be nice to see a return to such days. (smarminess intended)

Some stuff to think about

One important thing to remember in this discussion is that many companies spend far more time keeping their networks spyware-free than they do worrying about viruses/worms. I know mine does.

I don't really view spyware/adware/etc as anything other than a virus/worm with an EULA. If mydoom had an EULA attached to it which specifically states how it will work, and what it will do (in perfect legalese) -- should this be legal to write and spread in the wild? I say hell no. Anyway, since EULA's are not signed (in any way), and don't even have to be read -- they're not really an "agreement". They're more of a proclimation. Not only are their names misleading, but certain fundamental rights cannot be taken away by an EULA (and these are). Why not call one of those rights "control over your computer and personal information"? Maybe even redefine how EULAs are written. If you're giving up control over certain functions and information, maybe it should be in BIG BOLD LETTERS in plain English at the top of the agreement (rather than somewhere in the middle, small print, and in legalese so ambigous, most lawyers would read it and say "WTF?").

It's about time that someone did something (not that this is the best thing to do). I'm all about freedom -- let people do what they want as long as nobody gets hurt. However, when software depends on mass trickery in order to propigate, then there is a problem. When it comes to spyware/adware, it's important to let people know what they're getting into -- this is where we should start.

Employers can spy; illegal cookies?

3. This section shall not apply to persons making available computer software or interactive computer service that is reasonably needed to do any of the following:

a. Determine whether or not the user is a licensed or authorized user of the software.

b. Provide technical support for the use of such software or computer service upon request of the user.

c. For any legitimate law enforcement purpose as authorized by applicable federal, state, or local law.

d. To enable an employer to monitor employee computer usage while such employee is within the scope of any employment as authorized by applicable federal, state, or local law.

By the way, this also appears to illegalize cookies.

4. As used in this section, the following definitions shall apply:

a. "Identifying personal information" means information that personally identifies a user of computer software or interactive computer service, including but not limited to any of the following:

[items skipped]

(8) Any other information identifying an individual.

Re:Ashcraft is

I don't see why this is offtopic. It's a rather insightful observation.

The bill as linked to above provides an exception for "legitimate law enforcement purposes." One of the problems with current law enforcement in the US is that illegal searches and seizures usually result in nothing more than the evidence collected, if any, being disallowed in the court. It will now be possible to bring suit for the gratuitous and unauthorized collection of information, as it falls outside "legitimate law enforcement" even if the parties happen to work for a law enforcement agency. If you don't think this affects John Ashcroft, you haven't been paying attention.

What about all those airlines that participated in CAPPS II in violation of their privacy agreements ?

The suits filed won't really collect money, of course, but they will provide a good opportunity to put certain people in deposition where they can say embarassing things. I think it would be good if this law were enforced to the hilt against people like John Ashcroft.