Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
my problem is with using the term "spyware"
Posted Dec 17, 2012 9:20 UTC (Mon) by dlang (✭ supporter ✭, #313)
Diluting a term to cover lesser problems means you now have no term to cover the severe problems.
There is a real problem with apps claiming to be for one purpose, but sending a lot of your information out. Since they actually do work for the purpose they claim, calling them "Trojans" doesn't really work, the term "malware" is so broad as to be meaningless. Spyware captures these programs perfectly.
but if you use "spyware" to cover cases where information gets sent that is needed for the functionality that's being provided, your browser is "spyware" because when you search for something it sends the query you are searching for to the search engine.
See also chicken little, the boy who cried wolf, etc.
Knowledge and consent
Posted Dec 17, 2012 14:29 UTC (Mon) by man_ls (subscriber, #15091)
The term "Spyware" needs to be reserved for the cases where applications grab and report information that is not needed for the functionality they are providing
I would rather say:
Spyware: software that grabs and uses private information without the knowledge of the user.
But I am not sure if the "knowledge" of the user is enough, or a proper definition should use the "consent" of the user. Even more importantly, nobody requested that feature: Canonical enabled it just to make money out of their users' private information. The definition that Stallman seems to be using is the stronger:
Spyware: software that grabs and uses private information for the benefit of the maker and without the users' consent.
Posted Dec 17, 2012 16:24 UTC (Mon) by dlang (✭ supporter ✭, #313)
> Spyware: software that grabs and uses private information for the benefit of the maker and without the users' consent.
> I can relate to it. Perhaps it is beneficial to spread this definition so other dubious uses of private data are also stigmatized, but it is probably too broad.
That is exactly my point, his definition is to broad, and it dilutes the term. Especially when he defines "submitting a search and being surprised what search engine you are submitting it to" as being "without the users consent"
Posted Dec 17, 2012 19:41 UTC (Mon) by hummassa (subscriber, #307)
Meh, actually he defines "submitting what seems to be a local search and being surprised when it is actually submitted to a remote, commercial, search engine when you have not previously signed up to that service" as being "without the users consent". And do you know what? It has some logic to it.
Posted Dec 17, 2012 15:48 UTC (Mon) by mjg59 (subscriber, #23239)
Posted Dec 17, 2012 16:22 UTC (Mon) by dlang (✭ supporter ✭, #313)
some people will like this, some will not. It's a discussion worth having on those grounds, but labelling it 'spyware' is going too far.
Posted Dec 17, 2012 16:29 UTC (Mon) by mjg59 (subscriber, #23239)
Posted Dec 17, 2012 16:35 UTC (Mon) by dlang (✭ supporter ✭, #313)
It's becoming more and more common for search to include the Internet, Browser address bars didn't use to search the Internet, they used to only search your browser history. This is just one more search option that's becoming Internet enabled by default.
As I've said repeatedly, I'm fully open to a discussion on the subject of if this is a good thing or not (personally, I dislike it and won't use it), but I just don't see that doing searches and being surprised that your search term gets to search engines as rising to the level of "spyware", that term needs to be reserved for clear abuses where there is active deception involved.
Posted Dec 17, 2012 18:10 UTC (Mon) by mjg59 (subscriber, #23239)
Posted Dec 17, 2012 18:27 UTC (Mon) by dlang (✭ supporter ✭, #313)
See "Chicken Little" and "The Boy who cried Wolf"
Posted Dec 17, 2012 18:31 UTC (Mon) by mjg59 (subscriber, #23239)
Posted Dec 17, 2012 18:58 UTC (Mon) by dlang (✭ supporter ✭, #313)
This is a very different situation from what I consider "spyware", which is sending data elsewhere that's unrelated to the function being performed.
I see this as crying wolf because even if it is a privacy violation, it's nowhere close to the class of spyware that we really need to get people upset about.
Posted Dec 17, 2012 19:03 UTC (Mon) by mjg59 (subscriber, #23239)
Posted Dec 17, 2012 19:57 UTC (Mon) by hummassa (subscriber, #307)
Spyware is a class of malware that causes lot of trouble. It is usually used to get your home banking passwords and other stuff that generally cause lots of monetary damages.
The Dash Imbroglio is an instance of another class of malware -- that deceives the user, that AT THIS POINT IN TIME, unless you advise and ask for permission first, will reasonably expect it to be just a local search and instead will do an Amazon search in addition to it.
The solution is simple: before sending any data to amazon, the first time the dash is used for each user, it should show a simple dialog stating "hi! Amazon contributes for you to have this wonderfull and Free software! How about contributing back and letting it see your searches, in case it wants to show you some offers embedded in the results? [Ok] [No, thanks]". The default could even be "ok", but no one would be DECEIVED -- the operative word that makes RMS be at least partially right.
Posted Dec 17, 2012 20:10 UTC (Mon) by dlang (✭ supporter ✭, #313)
That being said, while I am unlikely to ever use Dash (in spite of the fact that I do run Ubuntu, I use KDE not Unity), I don't see this as the end of the world that many people are making it out to be.
People are starting to expect that "search" doesn't just mean "search locally", it also means "search on the Internet". Many of the search tools that they interact with (Chrome and IE address bars for example) default to this already.
If I was doing the UI for Dash, I would have a toggle off to the side to switch between "local only" and "local + Internet" search modes (and I would be Ok with it defaulting to "Internet"). But I know from painful experience that I'm a lousy UI developer :-)
Posted Dec 17, 2012 23:31 UTC (Mon) by rahulsundaram (subscriber, #21946)
The evidence you provide to support your assertion that is somehow people's expectation that search results will connect to internet automatically is very weak. Internet browsers may search the internet and that by itself is not very surprising but desktop interfaces in general do not connect to the internet to search things automatically by default. GNOME Shell for instance, used to provide link to wikipedia and google from the shell search interface but it did NOT search google and wikipedia by default. That would have been a surprising privacy violation.
The primary reason Canonical seems to be doing it is because of a commercial contract with Amazon. If you can point to any other OS search interface that connects to the internet by default to get search results, you might have a point. As it stands, I think this is very much a unprecedented move and not at all in line with what users expect.
Posted Dec 18, 2012 0:06 UTC (Tue) by dlang (✭ supporter ✭, #313)
I'm somewhere in the middle. It's not something I will choose to use, but I don't see it as being evil.
The only thing I really disagree with is applying the term "spyware" to it. It may be wrong for other privacy reasons, but "spyware" isn't "anything that can leak information"
Posted Dec 18, 2012 0:08 UTC (Tue) by hummassa (subscriber, #307)
Well, actually... The new Android has a local+remote search enabled by default, and iOS also does some surprising searches. That was the main reason why I said "at the present time"...
Posted Dec 18, 2012 18:32 UTC (Tue) by pboddie (subscriber, #50784)
Ultimately, you have a free-for-all like in the smartphone "app" world where suddenly applications are uploading all sorts of things to the mothership. Even then, people will defend this sort of thing because "it's so convenient".
Integrating Internet services into applications isn't necessarily a bad thing, but if the business model of the month is all about keystrokes being remotely logged or whatever, people should be made very much aware that this is happening in advance so that they can avoid the product completely if they want. Mumbling that such behaviour can be turned off is not sufficient because most users will never be made aware of the situation in the first place.
Posted Dec 18, 2012 18:41 UTC (Tue) by pboddie (subscriber, #50784)
'violating reasonable user expectations' is arguable in this case
Just looking at the screenshot accompanying the article is enough to indicate that reasonable user expectations have been violated here. Would you like some "More suggestions" with your "Files & Folders"? Aside from perhaps wondering why the latter is title-capitalised and the former is not - maybe there's a retail brand about to be launched - someone who has had Ubuntu installed for them is likely to be slightly surprised and wonder what else was installed for them until they do a real Internet search and arrive at the wailing echo-chamber that is the Ubuntu Forums, only to eventually learn after pages of confused opinion what has really been going on.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds