Australian Gov't To Consider Spyware Laws

bernie writes "It seems the US is not the only country with spyware legislation in the works. According to this Computerworld article, a bill outlawing the 'harvesting without consent corporate or personal information via a Web site or with software applications for marketing purposes will be classified as 'spyware'' and is set to go before parliament later this year. In addition to making all 'spyware' opt-in the bill will cover 'malware' such as viruses, trojans, and worms. Interestingly, the article cites lack of 'international cooperation' as a barrier to effective enforcement of cyberlaws. Also included is a statement from the EFF that it 'would like to see a more serious effort made to use existing laws against unfair trade practices, misrepresentation, computer fraud and abuse, before new technology-specific laws are passed'."

To repeat:

[swordboy]

Unless the Australian government has jurisdiction in foreign countries, this has the same affect as spam laws:

The assholes just relocate to another country.

Re:To repeat:

[Techguy666]

That doesn't mean that governments should just give up and not make these laws. Enough of these laws get passed around the world, those who intentionally wish to violate these laws will have no place to hide.

After the laws are passed, even if a few second or third world countries allow spyware / spam creators to work in their countries, the countries with spyware/spam laws can form a "coalition of the willing" and blackhole violating countries altogether until they comply and pass similar laws. (Wow, even Bush can serve as an educational example.)

Regardless of the politics of tossing entire countries into a blackhole filter, the point is that inaction allows spammers and spyware creators to breed.

Re:To repeat:

[L. VeGas]

..even if a few second or third world countries allow spyware / spam creators to work in their countries, the countries with spyware/spam laws can form a "coalition of the willing" and blackhole violating countries

Hey, it worked to keep out drugs, didn't it?

Oh, wait..

Re:To repeat:

[stanmann]

Difference is people want drugs... Drugs are fun... SPAM isn't.

Re:To repeat:

[gcaseye6677]

Also, when it becomes too difficult or impractical to send spam to large amounts of people, spamming will drop off altogether. The success rate is low even now, and when spammers face the realistic possibility of prosecution, they will probably decide its not worth it and go back to writing bad checks or whatever they used to do to make money.

Re:To repeat:

[chadjg]

It's a question of motivation. The profit margins for drug smuggling are huge. It's also easier black hole a domain or to really throttle them than it is to seal a border.

Unless the Russians, Hungarians, Chinese and others are willing to print the IP packets out, roll them up and keister them, anti-drug logic doesn't apply to spammers. You never do know, the drive and ingenuity of the greedy is probably limitless.

Re:To repeat:

[eggoeater]

Yup. And the people who make this crap (like that stupid monkey tool bar...) will just change the EULA, that all my relatives just click through, giving them permission to harvest info and install more spyware without further notice.

EULAs - was Re:To repeat:

[Techguy666]

If it has an EULA and people have to "accept" the program before it runs, should it be placed in the same category as other spyware? If you say "no - it's still spyware all the same - people just click through the EULA without reading it", then what would you say about Windows XP, where you have an EULA and data gets transferred to and from Microsoft regularly (especially if you use Windows Media Player 9)?? Is that the same thing?

Users need to take some responsibility for clicking through EULAs. There

Re:EULAs - was Re:To repeat:

[teidou]

what would you say about Windows XP, where you have an EULA and data gets transferred to and from Microsoft regularly ... Is that the same thing?

Yep.

Re:EULAs - was Re:To repeat:

[spectre_240sx]

Yes, but it doesn't take you half an hour to drive the correct way down the street like it does to read some of the heftier EULA's out there. The inconvienience of reading a long EULA for every single piece of software purchased is a burden that should not be placed on someone when they have paid for the use of something fairly. Wide licensing schemes which multiple products can be registered under would be a fine alternative, but any company who wishes to have you sign your life away is obviously not going

Re:To repeat:

[strictnein]

Excellent, we'll need less nukes.

We'll need fewer nukes.

The best part

[Anonymous Coward]

Users will be required to install the Australian government's spyware to make sure other spyware isn't installed.

Good!

[suqur]

The more spyware/malware laws we get the better. It's so frustrating trying to use a computer with tons of spyware and spyware trojans. Ugh. And they say the average PC has 28 spyware programs running on it! This needs to stop.
It took me about 8 hours to clean out a friends computer the other day. He had about 15 viruses all installing spyware daily.
Here's some suggestions for cleaning your computer:

Grisoft's AVG Anti-Virus Free Edition - this is key. Free auto-updates too
http://www.grisoft.com/us/us_dwnl_free.php [grisoft.com]

Lavasoft's Ad-Aware - run it every so often, and always be sure to update it manually.
http://www.download.com/3000-2144-10045910.html?pa rt=69274&subj=dlpage&tag=button [download.com]

CWShredder - removes only a few trojans that give you tons of ads, but does a better job of fully removing them than ad-aware.
http://www.spywareinfo.com/~merijn/downloads.html [spywareinfo.com]

Spybot-Search & Destroy - Similar to Ad-Aware. You should run both.
http://download.com.com/3000-8022-10122137.html [com.com]

Re:Good!

[thedillybar]

Grisoft's AVG Anti-Virus Free Edition - this is key. Free auto-updates too
Wonderful Anti-Virus software, but what does it have to do with spyware/malware? I've been running it for a few months now and it's caught 1 piece of spyware while Adaware has got hundreds. I think it's designed to be anti-virus not anti-spyware/malware.

Spybot-Search & Destroy - Similar to Ad-Aware. You should run both.
Is it really necessary to run both? I've been fine with just Adaware for a while now.

Re:Good!

[Mz6]

"Spybot-Search & Destroy - Similar to Ad-Aware. You should run both.
Is it really necessary to run both? I've been fine with just Adaware for a while now."

Actually, it's recommended to run both of them. The reason is because they both use different methods of determining spyware. While one may not find/remove a spyware program, the other may remove it perfectly. It shouldn't take much to install and run both nd you are protected that much more. Besides, you can't beat the rpice... right?

yes, run both

[The Queen]

Every day I run Ad Aware, it finds a few dozen things, then I run Spybot, and it finds more junk Ad Aware leaves behind.

Still trying to get everything off PERMANENTLY, so thanks to all for the many suggestions posted. :-)

Re:Good!

[suqur]

Wonderful Anti-Virus software, but what does it have to do with spyware/malware?

So many people don't run Anti-virus software, and many of these people are the same that open up email attachments they weren't expecting.

There are TONS of trojans out now with the simple payload of installing spyware on your PC.

The PC that I mentioned I worked on recently had over 500 dll/registry keys/executables and bookmarks (not counting another 300 cookies) that were found as spyware. I removed them all with Ad-Aware, and after a reboot, another 150 files were immediately put back by about 15 different trojans.

I consider anti-virus to be a huge deterrent to spyware.

Is it really necessary to run both? I've been fine with just Adaware for a while now.

They both find different things. So yeah, it's good to run both. Spybot also has some nice features to automatically setup your hosts file and other things to block even more spyware.

Re:Good!

[frodo from middle ea]

If the PC was that badly infected. Don't you think a better option would have to format the whole thing. Run some kind of boot sector virus scanner using some boot disk and reinstall every thing.

Re:Good!

[suqur]

That would have been so much better, but I was only visiting for the weekend and he didn't have his Windows CDs or any way to back stuff up. :(

I'm reasonably sure that I cleaned it off 100%. I gave him some training on email viruses, and ActiveX installs on the web, so hopefully he'll be able to go awhile before getting into the same situation.

BTW, his PC is running SO much better now. It actually performs like a clean install of windows.

Re:Good!

[jacksonyee]

Is it really necessary to run both? I've been fine with just Adaware for a while now.

It's not absolutely necessary to run both, just as it's not absolutely necessary to run a virus scanner if you're relatively sure that your firewall will stop most of the viruses going into your network.

However, having two separate programs with two separate databases increases the chance that one particular vermin might escape, since there are two levels of checks against it. What was the last program you used that did absolutely every single thing that you wanted it to do? For me, having two separate programs avoids vendor lock-in and encourages improvement. It's still not 100% secure - nothing is. However, it's a little bit more peace of mind when you go to clean your co-workers' computers off because Internet Explorer gave them more bugs than an open can of Mountain Dew in the summertime will attract.

Re:Good!

[suqur]

I forgot to mention HijackThis. It's another great tool for getting rid of spyware, but it's definitely for the more advanced user. It'll show you both good and bad items, so discretion is important.

You can easily track down spyware by googling for the different exes and get tips on removing them.

http://www.spychecker.com/program/hijackthis.html [spychecker.com]

Re:Good!

[Walles]

Wouldn't stopping the influx be a better first start? Something like first installing a firewall, then installing some Mozilla derivative and *then* start cleaning the box.

I don't see how cleaning up would do any good as long as the system keeps being a spyware / virus / spambot magnet. You'll just have to do it again after a short while.

GriSoft's free edition limitations

[WoodstockJeff]

Interestingly, the "free" edition of AVG is limited to systems that are not networked in any way... Quoting the "important notice!":

IT CAN NOT BE INSTALLED IN ANY NETWORKED ENVIRONMENT!

Last time I checked, "Internet access" (email, web pages, etc.) involved a "networked environment", meaning that anyone who needs an antivirus product is excluded from running the "free" AVG scanner...

Re:GriSoft's free edition limitations

[tordia]

Ahh, but the keyword is installed, not used.

Solution: unplug the network cable while installing it. When done, plug the network cable back in.

:)

Re:GriSoft's free edition limitations

[WoodstockJeff]

No, no, no! Just unplugging the cable isn't enough! If the computer is still in the same room as a hub or router, it's still in a "networked environment", so you can't install it there!

You must unplug it, take it out into the street, and install it there. And heaven help you if there's a WiFi access point in the area!

B-)

Legislation is almost as scary

[yintercept]

The more spyware/malware laws we get the better.

I am staunchly opposed to spyware. I was disappointed with the article however. The article seemed to place dropping a cookie on the same level as using a Trojan to install a program that pop ups ads left and right.

From the article:

No program or cookie or any other form of tracking device is to be installed on any computer without the user of that computer being given clear information as to the purpose of the program or tracking device

Come on! The easiest way to do session management is to drop a cookie. The article in question suddenly classifies the majority of interactive web sites (forums, online stores) as spyware because they drop cookies for session management. To have an online store, you have to be able to track the user as they place things in their shopping cart, then procede to checkout. To keep a shopping cart between sessions or to keep user information available for the next forum discussion...you drop cookies that extend beyond the session.

Yes, there are privacy concerns with third party cookies from large entities like doubleclick and valueclick. These companies already have privacy statements, and have big legal departments and contribute to PACs to assure whatever they do is legal.

Laws that get passed from ill informed groups like the one quoted in the article simply create hassles for legitimate firms trying to do legitimate business. It will not affect the large ad firms like doubleclick and valueclick. Nor will they have any affect on the people willing to work on the fringes of society.

I am all for efforts to define and regulate adware. Such companies actually have code downloaded installed and running on people's computers. Unfortunately, I doubt legislatures will have the tech savvy to make such definitions. Especially in a world where privacy rights advocates are as befuddled by session management with cookies as they are with a trojan that includes code that tries punching holes through firewalls.

Re:Legislation is almost as scary

[downunda_wookiee]

The bill does not say you can't put a cookie on the user's pc, rather, if you do, you must inform the user what the cookie does, what information it contains and why you need to put it there.

I don't particularly like the fact that they're only insisting spyware inform the user what it's doing for the simple reason that most users don't read EULAs anyway. But at least it's putting the onus on the spyware to *attempt* to tell the user what's going on.

.wook

a legislative idea

[millahtime]

Interestingly, the article cites lack of 'international cooperation' as a barrier to effective enforcement of cyberlaws.

An idea to get international cooperation would be to make it an act of war to get a mail bomb or any other kind of attack. We (in the US) get a couple of these... go knock on that countries door a few times and we'll get the cooperation from everyone we are hoping for.

Adaware

[thedillybar]

Don't think this means you can do without Adaware [lavasoftusa.com] or some other anti-spyware software. Worms and viruses have been illegal for a long, long time; you still wouldn't let any non-tech-savvy person near a computer without antivirus. It will be a long, long time (probably not in our lifetime) before we can do without anti-virus and anti-spyware stuff.

If these bills cut the number in half I'd be pleased.

Re:Adaware

[kwoff]

I do quite fine without Adaware, and I have no spyware.

Re:Adaware

[kwoff]

Because I don't install random applications which would contain spyware.

Too bad....

[tha_mink]

Spyware. It's nasty. But...(and I hate to say it), I make a pretty good amount of money removing it from client PCs. "Internet Optimizer" and "XXXToolBar" are 2 of the more particular nastier ones I come across. It makes it virtually impossible to use IE. When one finds out what these nasties do and how they do it, one gets surprised that they aren't illegal yet. I am all for making this stuff illegal but I sure will miss the extra income.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Too bad....

[Eraser_]

I have a really bad habit of installing Mozilla for people who have IE/OE related woes and never getting a call back from them again. I do make sure and "leave" a couple extra business cards though, and eventually their friends start calling.

Better yet, the other day I got a lead on a car dealership that needs a new "on-call" tech guy, plus a network overhaul. All this from a little spyware prevention lesson.

I have an idea

[Anonymous Coward]

Let's pass a law. That always stops people.

How Does This Work

[somethinghollow]

When it says "Click Yes to install if you agree with the EULA." and the user does, what is the problem? People install spyware themselves. It's (at least for the most part) an ID-10T error, not an exploit. Are these governments going to MAKE users read and understand EULAs before installing things? Aren't these people warned in the EULA before they install? Granted, I hate spyware as much as the next, but the worst I've had is DoubleClick cookies that AdAware says is spyware. I just click "No" by default now instead of "Ok" when the "install software" box pops up in IE (at work... never had the problem with Safari at home).

Re:How Does This Work

[WoodenRobot]

Aren't these people warned in the EULA before they install?

One nasty problem with this is the fact that often by the time you get to a page with a EULA, the damn site's installing spyware - and the EULA's something along the lines of "by looking at this page, you agree to be infested".

Yeah, there's a EULA, but it's effectively worthless, and is just a get-out-of-trouble clause for the malware supplier...

Re:How Does This Work

[mikera]

It's a pretty basic principle that in order to have a fair contract, a person must have a full understanding of what they are agreeing to. Free markets require informed consent on every transaction in order to work effectively.

In general that's not the case. That's a fundamental flaw with EULAs - people simply don't read them.

On top of that - people make mistakes. Perhaps just *once* you forget to tick the no spyware checkbox. Do you therefore deserve a permanently compromised machine?

This all makes Spyw

Re:How Does This Work

[tsg]

People install spyware themselves.

People install email viruses themselves, too, because they are fooled into doing so.

It's (at least for the most part) an ID-10T error, not an exploit.

It's a social exploit like telling someone you're from tech support to get their password. No, they shouldn't give you their password, but that doesn't absolve you of lying to them to get it.

Are these governments going to MAKE users read and understand EULAs before installing things?

If EULAs were more understandable

Re:How Does This Work

[Dachannien]

When it says "Click Yes to install if you agree with the EULA." and the user does, what is the problem? People install spyware themselves. It's (at least for the most part) an ID-10T error, not an exploit.

Personally, I'd consider social engineering (which this is) to be the original exploit.

Re:How Does This Work

[Tokerat]

Are these governments going to MAKE users read and understand EULAs before installing things?

Is it even in the EULA half the time?

Good spyware!?!?

[vijaya_chandra]

?Not all spyware is bad but most is sinister"

I don't get this, can someone suggest a good spyware?
Or is ntpd also nowadays considered spyware??

screen capture utilities used to capture passwords,..
Damn, now I know why all those passwords in our web site's user db are showing up as long "*"s upon decryption

(Karma be damned; I am no better than an AC anyway)

Re:Good spyware!?!?

[will_die]

How about the google toolbar?
If you have the option on it records information about your searchs and sends them back to google.

Milk and Cookies?

[mratitude]

What is the legal liability within the WWW community of the standard for setting cookies and other session tracking techniques within this law? It's this relationship between web server and web client that leaves the door open for spyware.

The intent of the law will be to establish the intent of the person using the browser rather than the intent of the web site organization who put up the url. But the web operator doesn't force anyone to click their link and the tools are available to prevent most spyware from loading across the link. Will the legal standing become nothing more than the equivalent of individual intent and unstated permissions?

It'll be an interesting legal question as to where various digital rights boundaries start and stop.

they should have followed New Zealand's lead...

[MariaK]

It would be so much neater to just go the same route for distributors of spyware as some have done for spammers. Release their personal information [nzherald.co.nz] online along with a description of their offenses and let the outraged masses take care of it. Prosecute fully for any violent offenses, but if the offender is simply driven to cut off his phone line and Internet connection thanks to all the harassment he gets, that'd be fine.

The same approach might be less effective against corporations, but I'd still love to see an attempt.

But will this REALLY stop spyware?

[caffeineboy]

It seems to me that there are two major categories of spyware:

• The kind that tries to be "legit" and actually tells the user (somewhere in the EULA) that it is installing. Claria/Gator is this type.
  
• The kind that doesn't give a damn and installs through known IE exploits and weaknesses (Cool Web Search and Xupiter are like this)
  

The problem that I can see is that type 1, even though it sucks and no sane person wants it on their computer if it were presented honestly, is probably already compliant with these laws because somewhere in the EULA it explains what it is doing. Never mind that even moderately intelligent people just click "OK" as soon as any dialog box pops up on their computer (my fiance still hits "OK" whenever she goes to an encrypted page since she doesn't take the time to read the box and click "don't show this dialog again").

The problem with the second type is that they don't give a damn now and they're not going to give a damn. I can't belive that using exploits to install software is not already illegal somewhere, and many of these type of companies are already out of jurisdiction...

To tell the truth, I can't think of a good way that we will get around this. We have to remove the motive - perhaps prosecuting the people that advertise this way?

Re:But will this REALLY stop spyware?

[gcaseye6677]

I've never understood why companies like the one behind Xupiter are not being prosecuted under existing laws. If you install something on someone's machine without telling them, by taking advantage of a browser security hole, then you have committed computer trespass. Why is it legal just because a corporation is doing it? And due to the fact that some of these toolbars are designed to hijack a Google search and redirect it to some fake search engine that is full of advertisements, I am surprised Google has

Legislation=Trojan

[Potor]

I bet legislation in this area will do nothing to ease the spyware problem, but instead will only act as a trojan increase governmental control of the web.

I know: not a new idea, or particularly interesting. However, I do find it funny to see people applauding legistative solutions to problems on the internet, which is usually praised for being an anarchic forum.

Re:Legislation=Trojan

[Potor]

D'oh, interpolate "to" between "trojan" and "increase." I could have sworn I hit the preview button.

The EFF is catching on

[swb]

would like to see a more serious effort made to use existing laws against unfair trade practices, misrepresentation, computer fraud and abuse, before new technology-specific laws are passed

Here, here -- why aren't fraud and other bad-trade laws used more often? Is it a lack of resources? A cultural zeitgeist that embraces legal-gymnastics and rationalizations as legal compliance for prima faciae unethical conduct? Part of the current administration's pro-corporate/pro-business mindset?

It just seems that as long as you're not outright *stealing*, you can get away with pretty much anything, and it's not fraud. Has this always been the case?

Re:The EFF is catching on

[mratitude]

It just seems that as long as you're not outright *stealing*, you can get away with pretty much anything, and it's not fraud. Has this always been the case?

Perhaps, but it's a symptom too. As much as the WWW "evolved", organizations such as W3C not addressing this within the programmatic client/server model bears as much a relationship to how profit/information oriented organizations have used technology standard as it exists today.

It could be noted that government bodies get involved as a last reso

Futility production

[Quicksilver]

Futilty detector is sounding... So it would be only illegal to collect this information for *marketing* purposes?!!!

That's a law that'll be useful.

What else would you want it for?

[jamehec]

I'm no expert, but isn't the whole *point* of sleazeware for marketing? Every time I've seen sleazeware, it's had ads with it, or frobnitzim there for the purpose of collecting info for - wait for it - advertising.

Not trying to troll / show anyone up / be an arse, I am really just curious.

Re:What else would you want it for?

[Quicksilver]

What else?!! I don't want it legal for *anyone* to install software on *my* machine without my consent. No matter what the purpose.

If a pimply faced highschool student does it they call it hacking. Why are corporations any different?

Besides companies will just split the work and then the law is useless. "Oh our company just gathers data on computer users to sell" Would be the magic defense. Nevermind that they guy owns another company that happens to be the only customer and they do... guess what... mark

Protected CDs

[rfernand79]

I wonder if this bill would cover the "protected music CDs" that install software withput your consent... but then again, that's only a concern if you live in a Windows world.

Re:Protected CDs

[mark-t]

Actually, those protected music CD's that install software without your consent are actually spreading a virus.

Granted, it's a virus that can only propogate when the CD is moved from computer to computer, but it still meets all the criteria for being called a virus.

So spyware is banned in Australia now.

[jamehec]

Does this mean that MSIE, ActiveX, web bugs and Java/Javascript are all banned in Australia now? ;)

a break

[stimpleton]

"Australian Gov't To Consider Spyware Laws"

Previous story related to this:

"Australian Gov't puts halt on Spyware consideration."
Story goes on to mention this was due to
"Sharon firing up the BarBee, and chucking on a few savs and shrimps."
Later, Victorian MP was heard to say "Oi, Kev mate. Chuck us another tinnie."

Word 2 the wise: Back Up AV/Firewal Inst. Files..

[iamcf13]

I suspect the Spammers / Crackers are DESPARATE enough now to see about compromising antivirus and firewall programs at the source via a crooked/disgruntled person at the company with access to the software and/or the source code to it (even 'better').

You have been warned....