Posted on 05/25/2005 12:39:09 PM PDT by ShadowAce
Analysis On my computer right now I have three anti-spyware programs, three anti-virus programs, and three anti-spam programs, together with a hardware and software firewall, an IPsec VPN, and data level encryption on certain files (and no, this is not intended to be an invitation for you to try to test my security.)
The anti-spyware, anti-virus, and anti-spam software all work in very much the same way - they have definitions of known malicious programs, and they may also have algorithms to raise flags about unknown programs which operate in an unusual way. Depending upon user preferences, the programs either automatically block or delete the suspicious mail or program, stop a running process, or quarantine a file for the user to delete.
In general, users delete all or virtually all of these identified programs and blocked mail. I mean, who really wants spyware or viruses, right? However, both the identification of programs as spyware or spam, and the deletion of these programs may, in fact, be a violation of the law.
At present there are several dozen laws or pending bills to both define and outlaw spyware. At the federal level, there are three bills pending, including the Internet Spyware (I-SPY) Prevention Act, HR 744, the SPY Act, HR 29, and SPY BLOCK Act, S. 687. At the state level, there are four existing anti-spyware laws, in Utah, Washington State H.B.1012, Virginia - Prohibited Software and Actions and California - Computer Spyware.
In addition, there are a number of states that are considering laws to outlaw spyware. While there are significant differences in each of these proposals (with some permitting criminal or private civil enforcement, and others only permitting the State Attorney General to enforce these rights), in general the law attempt to prohibit the "deceptive" practices of the unauthorized installation of programs that monitor a consumer's activities without their consent. As a result, these statutes tend to prohibit both the transmission or installation "through intentionally deceptive means" of software that either changes configurations of certain programs, or collects personally identifiable information, or prevents a user's efforts to block installation, or falsely claims that software will be disabled by the user's actions, or removes or disables security software, or takes control of the computer (by accruing dial-up charges, or by opening a series of advertisements that can only be stopped by turning off the computer).
Of course, if I want to install software that does all these things, the law would not prohibit these things. The problem of distinguishing between illegal spyware and ordinary programs is not that easy, however. America Online was sued when it distributed version 5.0 years ago, which members of the class that sued claimed altered software and registry settings without the consumer's knowledge or consent. Netscape was similarly sued for a version of its browser, but defended claiming that the Software Licence Agreement provided notice of the changes. Rumors have abounded that the next version of Microsoft's "Longhorn" OS will automatically send error messages to the mothership in Redmond which will now contain information about not only the system settings at the time of a crash, but also the contents of any document the user may have been working on when the system crashed.
Thus, the key difference between unwanted and unlawful spyware and "legitimate" software is simply user knowledge and consent. Both might actually collect and transmit personal information, muck up system and registry settings, be hard or impossible to alter or delete, and might disable itself or other programs upon removal. But did you know and consent to having it installed?
How does a purveyor of "spyware" get users to "consent" to its installation anyway? Online consent is usually achieved through some form of advisory on a webpage or a click-through agreement. Providing users with access to your Terms of Service or Terms of Use (by placing them on a link on your home page) or providing them the relatively easy ability to download or view a Software License Agreement is usually sufficient to bind the consumer to any non-egregious or unconscionable terms of a contract, including things like agreeing to arbitrate disputes, and agreeing to sue in the website operator's home jurisdiction (Guam? Northern Marianas Islands?), and so on.
Just how "prominent" must a Software License Agreement or website be in order to not constitute a "deceptive" practice? How detailed must a software distributor be in describing exactly what registry settings the software alters, what information it collects, and what programs it may interfere with in order to avoid liability? How does a software distributor get consent of, for example, a 13-year-old in Columbus, Ohio who just wants to download a pretty screensaver, yet is below the age to legally enter into a contract? Or what about a 92-year-old first time computer user in Sheffield who is installing a program he or she read about in a magazine?
Take, for example, one common source of "spyware" or "adware," Kazaa's peer-to-peer network software. By simply downloading and installing the P2P software you are agreeing to the terms of their 5,500 word license agreement, which attempts to distinguish between the evil "spyware" that they would never install on your computer, and the helpful and friendly "adware" which, according to Kazaa, delivers ads which "are selected for you based in part on how you surf the Web so they're often about things you are actively searching for. That makes them pretty useful." Consider a website which might contain language at the bottom (under the "privacy policy" or "legal") which might contain language to the effect that, by proceeding past the home page, or by installing certain programs, you are agreeing to the installation of a key logger, password grabber, browser redirector, program crasher, a pop-up installer, and a remote control program. Is it a crime if you state that you never read or understood what was clearly and plainly written on their website?
Whether a program is a crime or was invited must go beyond mere "notice and proceed" consent, or even mere "clickwrap" consent. When a program is as invasive and potentially destructive as what we commonly think of as "spyware" or "adware," the distributor should be required to demonstrate effective and informed consent - sort of an "are you sure you want to do this?" consent. Sure, this is a much higher standard than required of any other form of clickwrap contract - many of which may be as unconscionable as the installation of spwyare. But if I am going to install something that is as potentially disruptive as spyware, the purveyor should take strong steps to show that I knew what I was doing. This applies equally to Kazaa's Claria as it does to Redmond's Microsoft. Clear, concise and easily understood terms should be required.
Now let's say I install Kazaa and agree to the GAIN ads they give me as a condition precedent for obtaining this useful P2P software. Or, suppose I install a demo version of a program, and agree to a condition that it will self-destruct if I don't pay for it. Or, I install a screensaver which contains a notice that it will also redirect my browser and install spyware (but I am dumb enough not to read that part). I am therefore bound by the terms of the contract I have agreed to - whether or not I have read it - unless the terms are unconscionable and therefore unenforceable, or they are so buried and inaccessible or fraudulently worded as to not be capable of forming a contract.
Once I receive the benefit of the contract I have entered into (the P2P software, the screensaver, etc.) suppose I then download and install a spyware remover, which either automatically or at my request removes the portion of the program which is of benefit to the software distributor. Thus, I get the benefit of the program without adhering to the other part of the contract. An analogy can be made to those who get "free" broadcast television with the implied understanding that they will watch commercials, and then they use TIVO to get past them or create software programs that will automatically remove them from recorded broadcasts. More apt an analogy is those who subscribe to valuable services (such as email newsletters) on the condition that they provide some personal information, such as for a subscriptions to the online New York Times - and then deliberately provide false information. While these websites don't seem to mandate that you provide accurate
information, what if they had an "attestation" clause - meaning, I agree that I am providing accurate information as consideration for my access to the free online content of the New York Times? Would that make viewing the Times under false pretenses the same as stealing a copy of the paper from the news box?
The problem is worse for anti-spyware programs, which essentially automate the process of breaching consumer contracts. This is assuming that the consumers actually agreed to the terms and conditions under which the spyware was installed - generally not a valid assumption. Essentially, the spyware distributors would argue that the anti-spyware purveyors are inducing their customers to breach their contractual obligations, and are tortuously interfering with their contractual relationships with those who knowingly downloaded the spyware.
This is precisely the legal theory relied on when New.net sued Lavasoft in Federal Court in California, asserting that by calling its software "spyware" and blocking it, Lavasoft was defaming its products and interfering with its ability to distribute it. The California court rejected these arguments, asserting that, "despite the fact that the success of [New.net's] business ultimately depends on its ability to distribute as many copies of its software as possible onto users' computers, these relationships with the public at large are based on free and usually surreptitious downloads, and thus hardly rise to the level of 'economic relationships' as there is no business dealing between the unsuspecting users and [the company]." While the result is laudable, it is not clear that the analysis withstands scrutiny. New.net's "customers," those who installed the software with a bargained for consideration, were induced into breaching the contract by Lavasoft's operator's designating the program as "spyware." Certainly there was an economic relationship between New.net and those who downloaded the software ? personal information in exchange for free software. The court could have attacked these contracts and found that the users never really agreed to them, and therefore were unenforceable, but it did not do so - it simply dismissed any argument that there was an economic relationship.
The lesson of all of this is, if you get a bargained-for benefit from downloading and installing a program in return for agreeing to provide something (such as your personal information), not only may the distributor be guilty of a deceptive trade practice if it doesn't fully explain what the program does, you may also be guilty of a deceptive practice if you don't live up to your end of the bargain. Another full employment program for lawyers!
I have a Mac running OS X. I simply accomplish work on my machine and don't have to worry about this crap. Maybe you all should try it one day, it really is nice.
I have a Mac running OS X. I simply accomplish work on my machine and don't have to worry about this crap. Maybe you all should try it one day, it really is nice.Maybe you should watch what you wish for. When Mac's become as ubequitous as windows, they will be just as heavily targeted.
i just want to know how to get rid of that *&^(&%(&^!!! stupid partypoker pop-up ... any ideas? ...
Would you like to perform a full system scan for critical PC errors?  |
||||||
 |
Sounds to me like refusing to pay a drug dealer, only there's no thug waiting to beat the crap out of me...
Uh oh. Look what you did. You've angered the M$-bots, LOL. "Why, the Mac would have just as many security problems if it didn't have such a tiny market share" (sarcasm).
"Awright in there! We're the spyware police. Throw out your keyboards and come out with your hands up!"
That is why the antivirus programs dont tackle spywear....they are legal companies products.
Not likely, and not because the Mac is so good, but because it will never take down windows.
If it ever became a threat, Microsoft could just buy it outright. (anti-competitive, anti-trust or not).
That said, the mac is an interesting demographic that would appeal to hackers seeking financial gain (and a challenge).
I'm sure if Karl Rove (a machead and apple evangical) and Rush Limbaugh (also a bigg booster of macs) had their ways, everyone across the country would have them.
They will, but since the foundation of OS X is UNIX, and every computer geek in the world it seems has been over UNIX with a proverbial fine-toothed comb looking for flaws, the targeting will be less effective. (Even more so, since first runs of all programs under 10.3, 10.4, and presumably all future version of Mac OS require user consent--a cute little feature which makes malware much harder to slip in.)
You make some good points. And although I know windows better, I certainly do like Macs.
Gotta get me one.
Me? I have too much invested in hardware to make the switch--besides, none of that crap will run on my machine, anyway.
not because the Mac is so good, but because it will never take down windowsThey'll get a boost by going to intel. Cheaper hardware.
The threat to MS is open source running in a UNIX based environment, not Macs per se. Mac OS X, Linux and full-fledged UNIX running on bigger machines, are collectively the threat.
Won’t be the first “crime” I’ve committed.
I use AD-aware, Search & Destroy to scan my computer with. I also use SecretMaker @ all times to prevent pop-ups and other annoying things. I recommend you download all 3 @ download.com
I forgot they are FREEware.
This article is about users who gave permission for the adware to be installed.
While it makes some difference what OS is being used, it doesn't really matter that much. If the user grants access to the machine, they end up in this situation.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.