XBlock By Actiance - Home
Someone Spying on You? Fight Back!
Currently 25,860,543 Spy Software Busted!

Thoughts on the Consumer Protection Against Computer Spyware Act

by SpywareGuide Staff

California's Senate has passed a Spyware bill that would prevent the installation of ?Spyware? on an unsuspecting computer user's computer.: (SB 1436 Senate Bill)

Reference: http://www.leginfo.ca.gov/pub/bill/sen/sb_1401-1450/sb_1436_bill_20040928_chaptered.html

The problem with this bill centers on the definition "Spyware". By its current definition:

"Spyware" is an executable computer software program that is installed on a user's computer without the knowledge of a computer user by a computer software manufacturer, computer software controller, or Web site operator, and that does either of the following:

(1) Gathers and transmits to the provider of the computer software, to a third party, or to a remote computer or server any of the following types of information:

(A) The personal information of a user. (e.g. name, address, etc)

(B) Data regarding computer usage, including, but not limited to, which Internet sites are or have been visited by a user.

(2) Operates in a manner that is intended to confuse or mislead the user concerning the identity of the person or entity responsible for the performed functions or content displayed by the computer software.

This is a nice attempt but trying to regulate this type of technology will prove futile, much like the CAN-SPAM act was futile in containing the epidemic of spam. Technology moves far faster than legislation. These threats do not change over time- they change at a lightening fast speed.

This bill states that it is unlawful for any person that is not the user of a computer to knowingly install spyware on a user's computer in California without providing that user with a detailed notice of what the software is, how it functions, if and how it collects and uses personal information, and a variety of other information pertaining to the software. The notice will be required prior to the software's "opening download," the placement of the software on the computer by web site, or the software's installation.

Adware makers will argue that their legalese laden EULA?s are adequate notice to the end user. Even though I am quite sure most users do not read them or understand the language. Most of the really nasty behavior going on now could be stopped under existing laws that govern fraud, unfair trade practices and computer fraud. What this bill should have done is laid out specific guidelines on what constitutes fair disclosure. I do feel technical solutions are far more elegant and options like Service Pack 2 will address some of these problems (e.g. the option to never trust a publisher).

If anything software makers are better served to thoroughly educate their users on how the software works, what it does and actually developing a relationship with the end user. This is where the modern-day adware application has miserably failed. You don?t see fans rushing to their defense on message boards or forums. You don?t see grass roots support for their applications. They have no support because they have?no fans.

The ?opening download? is going to cause a lot of problems too. There seems to be some presumptions that all software has to be ?installed?. Many authors have written many lightweight, compact programs that are self standing .exes. In short they require no installation on the part of the user so I am guessing these authors will now need to pop-up a EULA each time the program is executed. Another question to ask is how will this impact direct linking? Can a third party link to a software program without providing information about the software download? How can a third party guarantee how a software component will behave? They can?t. Does this mean that web sites deploy specific geographical filters, to prevent Californians from downloading certain types of software?

I was glad to see the bill took aim at some of the nastier practices like drive-by downloads, key logging and spyware counter attack software.

(e) Through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer.

In the last two years there has been a hidden but lethal arms race between security software makers and spyware authors. I have seen first hand software that targets anti-spyware applications either by trying to remove them or intentionally breaking their installation. For example the latest version of Spector, a child monitoring tool, has counter attack and stealth capabilities built in. As always we have responded in fashion with our own defense and the cycle is perpetuated.

This is going to get even nastier as some security companies have tried to clean-up the act of anti-spyware companies who are no more than fronts for spyware! Are they in violation for disabling or removing a so-called ?security application??

Overall I feel the spirit of the bill is the right place but it lacks bite where it is most desperately needed and it adds a lot of burden to legitimate software makers. Nor do I think enforcement will be easy either. Many of the most notorious spyware makers, much like their brethren the crafty spammer, don?t reside in the United States. Statewide legislation will not check a global problem and it will only lead to a patch-work of laws that will be just as ineffective.

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Read other articles (back to full list)

© Copyright 2003-2011, Actiance, Inc. All rights reserved.   Privacy Policy