Utah's anti-spyware law [LWN.net]

March 31, 2004

By Pamela Jones, Editor of Groklaw

There oughta be a law, as they say, and now there is one in Utah. Yes, Utah is first state in the US to pass legislation banning certain kinds of spyware, the Spyware Control Act, and they took a heap of criticism from the likes of Microsoft and even cuddlier companies like Google, Novell and Amazon, who tried to block it from being passed, but failed. The governor just signed it last week.

Why? What is in this bill that such a broad coalition of companies took a look at it and didn't like what they saw? The best place to go to understand the new law is Ben Edelman's page, A Close Reading of Utah's Spyware Control Act (H.B.323). He has a clear chart showing in a creative way what the law says, with all its subclauses visually laid out. He consulted with the Utah legislators who prepared the bill, and his take on it is worth reading.

He was mightily surprised to see companies like Yahoo and AOL and Amazon and all the rest united against this bill. He concludes they have misunderstood the bill, and after researching it, I think that is indeed part of the problem. Novell's Vice President and Deputy General Counsel Ryan Richards wrote an Op Ed piece for the local paper about the bill in mid-March, "'Spyware' Bill Would Hurt Net Use", where he lays out the objections that he had to the bill and what he felt would be its unintended consequences. Here's a bit of what he wrote: ". . . the bill in its current form could potentially criminalize some of the most popular consumer software on the market, including popular media players, anti-virus programs, internet services, e-mail programs, and networking software."

After reading the bill itself, however, I believe he misunderstood the law, and I have concluded that the consequences are not unintended but rather precisely what the legislators meant to achieve. They intended that hidden spyware that transmits information about users without their consent, be outlawed. It's a bit like the definition of spam. "Legitimate" advertisers would like us to exempt their mailings from that definition. Now they want us to exempt them from the definition of spyware. The Utah legislators passed a bill that doesn't make that distinction. They are telling all companies to just quit it.

Because Ed Felton's analysis of the bill included the statement, "I have not seen specific examples of legitimate software that would be affected," I asked Novell's Bruce Lowry what products of theirs might be impacted by this bill, if any. He replied that while the bill is written in a vague enough way that he wasn't quite sure, one product might be ZENworks, used to configure machines and update software, including security patches, remotely. You can see a demonstration of ZENworks in a video on Novell's coverage of its recent Brainshare conference. I thought it looked like a wonderful product, but it does have to monitor computer usage to work and it sends reports back to a remote server, "both actions that would appear to make ZENworks 'spyware' under the terms of the legislation," Lowry worries. "The language doesn't distinguish between this type of high value, legitimate monitoring of computer activity from those actions that the legislation is ostensibly targeting - i.e. unsolicited advertising."

That would be an understandable worry, if he were correct that the law outlawed that product and others like it. But my reading of the statute convinces me that the bill only requires companies to let users know how products like ZENworks do what they do, get user consent, which presumably they already do, and make it possible to uninstall ZENworks, if users want to later. How burdensome is that? Further, Section 5 specifically excludes "software designed and installed solely to diagnose or resolve technical difficulties."

The strong reaction to this modest bill -- and you can read a PDF letter written by the companies and organizations that united to oppose it -- makes me heart-sinkingly sure that companies currently do quite a bit of monitoring and that the bill is designed to solve a runaway problem. Obviously, currently there is no law against spyware, except in Utah, although there is a bill being prepared on the federal level, and the FTC is holding hearings in April. Europe is considerably ahead of the US on privacy issues, maybe because Madison Avenue is an American phenomenon.

Might Mr. Richards be referring to that popular media player of the same name that the EU Commission just ordered Microsoft to unbundle, for example? Considering Microsoft Media Player's calling-home features, I'd say "probably." And while everyone has been talking about "benign" and "important and beneficial Internet communication software", that perennial favorite "stifling innovation", and the bill burdening users with notices, as if anybody cared about us anyhow, the truth is more likely to be elsewhere. Might it be that advertisers are worried about their income stream, and that at least some of the objecting parties - who are also entertainment purveyors - want to know exactly what everybody is up to with their music and DVDs and intend to spy to the extent they think they can get away with?

There is also a chilling statement in the letter listing reasons the signatories oppose the bill: "The bill also would create serious barriers to collection of data that Internet companies and security companies use to analyze and prevent hacker attacks on the Internet. This security problem is exacerbated by the fact that computer hackers, and other criminals could refuse to consent to use the software that law enforcement officials need to be able to conduct investigations." What are they saying? That instead of getting court orders to track criminals, which doesn't require their permission, law enforcement officials currently track everybody with commercial spyware? That's the kind of revelation, if that's what they meant, that gives privacy lovers hives.

So, what does the bill outlaw?

First, what it doesn't outlaw. It doesn't say they can't spy on us customers. They just have to tell us, in plain language, what they intend to do and get our consent, and make it possible for us to uninstall whatever we let them put on our computers, if we later change our minds. Before you say no one would ever give consent, think about Google's toolbar. A lot of folks trust Google, and they say yes when Google asks if they can track them. And no, Google's toolbar is not outlawed by this bill, because they comply with the notice and uninstall requirements already. Maybe that's why many trust them.

Excluded from the definition of spyware, are programs that diagnose or resolve technical problems, cookies, HTML code, and JavaScript used to report info stored on the user's computer, and operating systems. Plenty of wiggle room there. Anti-virus software and firewalls typically come with licenses that tell you what they do and thus get the necessary consent. The bill also outlaws intrusive ads that block the user's view of "legitimate" paid ads and website content. The liability for those who do it anyway is $10,000 per ad displayed, and that is tripled if the jury thinks they did it on purpose.

There is a catch. The victim can't bring a lawsuit. Only website owners, advertisers, and copyright and trademark owners (that elite bunch that legislators adore to write laws for) can sue. The rest of Utah's citizens must report violations to the Division of Consumer Protection, and the agency follows through, hopefully. The Utah legislators need to vote some funding if they are serious about stamping out spyware in Utah.

Ben Edelman tells me it wouldn't surprise him to see exactly that happen in coming years. "I think the bill reflects a good initial attempt to protect consumers and web sites from the many negative effects of spyware programs," he says, "and I think it offers a sensible and workable framework for doing so."

(Log in to post comments)

my non-techie friends

Posted Mar 31, 2004 21:11 UTC (Wed) by fjf33 (subscriber, #5768) [Link]

I would recommend Spyware Search & Destroy for them. I run a windoze machine so I know.

my non-techie friends

Posted Mar 31, 2004 21:29 UTC (Wed) by MathFox (guest, #6104) [Link]

I guess that an upgrade can help your friends. Mandrake and Lin---s (sorry I'm Dutch) are viable distro's for beginners.
They will certainly be more secure!

my non-techie friends

Posted Apr 1, 2004 7:45 UTC (Thu) by hingo (guest, #14792) [Link]

Umm... In fact Lindows seems to have copied its' security policies from Microsoft. Unless things have recently changed, the default install ends up with the user running everything as root, and root has no password anyway.

Of course, even using an unsecure Linux distro is better than Windows, since not many worms or spyware are written for Linux yet. But I don't see why we would need to recommend such an unsecure distro to anyone.

Now Mandrake on the other hand... There you have a distro that's easy to use and still does it the right way.

Lindows policy

Posted Apr 1, 2004 12:51 UTC (Thu) by grantingram (guest, #18390) [Link]

Well according to lindows.com they ask the user to specify a root password during the install, you can bypass it - but then you can do that with Mandrake too.

There is a wonderful interview (osnews.com) that is so full of enthusiasm that it almost makes me want to buy it!

However I'm already using Mandrake...

Lindows policy

Posted Apr 1, 2004 14:02 UTC (Thu) by hingo (guest, #14792) [Link]

Ok, thanks for the update. In fact it is reassuring to read that interview, I mean to see that they actually have people who know what they are doing. Even if their solution still isn't as paranoid as it could, be it's assuring to see that they know it's an issue. (Compare: I know I shouldn't use perl, but I still do occasionally, because it's often the easiest way out.)

But since you/we have brought it up, have you ever tried to log in as root in Mandrake? First of all, it's not easy, since root is not an option in the kdm login screen. And if you are still stubborn enough to get logged in (via startx or by adding root to the list of kdm users) You are greeted with an annoyingly red background and a message box telling you to immediately log out and start using a normal user account. This is more than most other distributions do. Nice to know that somebody cares about me.

henrik

Mandrake and root logins

Posted Apr 2, 2004 5:47 UTC (Fri) by Duncan (guest, #6647) [Link]

> [H]ave you ever tried to log in as root in Mandrake?
> [I]t's not easy, since root is not an option in the kdm login screen.

I'm a Mandrake user, and never had an issue logging in as root.

Of course, I very quickly set my system to boot level 3 text consoles, instead of level 5
DM, as well (yes, even as a beginner, as I'd asked for recommendations on some good
Linux books and read O'Reilly's "Running Linux" when I decided to do more than play
with Linux as a toy, which was about time MSWormOS came out with eXPrivacy..
talking about spyware.. and was compiling my own kernels even before I'd found
suitable mail and news clients in Linux, and was therefore still booting MSWormOS to
run OE!), and invoked KDE, my desktop of choice, from a logged-in user at the console.

However, I seldom log into an X session as root. I think the last time I did it was to
check what I suspected was permission issues, as I couldn't log in as a normal user. It
turned out I was right, but as soon as I'd had it confirmed by successfully logging in as
root, I logged back out, to complete the rest of my trouble shooting and fixing at the
console or with the good old mc.

I do, BTW, think Mandrake's policy is about right. Anyone not at home at the command
line NEEDS a DIRE warning if they somehow get an X session as root!

Duncan

my non-techie friends

Posted Apr 19, 2004 20:37 UTC (Mon) by jimwelch (guest, #178) [Link]

my "next door" cubie was about to buy a new computer because it was too slow.
We talk him to installing ad-aware. It cleaned his windoze and increased his "dowload" speed by a factor of 10. (slow modem in the country - mooo!) He was about to give up on the internet.

Utah's anti-spyware law vs GPL

Posted Apr 1, 2004 21:57 UTC (Thu) by jamienk (guest, #1144) [Link]

You don't have to agree to the GPL to use GPL'd software. You only have to abide by its terms when you distribute (give or sell) it or derivatives of it.

If some piece of Free software does spy on your computing, I believe they should let you know that they are doing it and give you the option to to not allow it.

Utah's anti-spyware law vs GPL

Posted Apr 2, 2004 6:24 UTC (Fri) by Duncan (guest, #6647) [Link]

As "jamienk" stated, the GPL doesn't concern itself with use at all. Simple use is
unregulated by the license, unlike that of most proprietaryware EULAS out there, with
the exception of the "author is not responsible for damages" type clauses.

It may be, however, that in ordered to comply with the law, certain distros and specific
applications may need to make certain information a bit more prominent, particularly the
auto-update type applications. (Wait.. distros not affected, due to the OS exemption
clause, which BTW also exempts MSWormOS eXPrivacy...) That shouldn't be to big an
issue for anything sold off-the-shelf in the state. It could perhaps be technically difficult
for authors wherever in the world they might be trying to comply with laws of a state they
don't care about, but no more than, say, the difficulty of a US site trying to comply with
the anti-nazi laws of parts of Europe, when the US protects such under US Constitution,
First Amendment (Freedom of Speech). Further, given the effectively anti-open-source
laws on the books such as the DMCA and similar, the US is probably not the best choice
for many such open source authors to travel already. (Dimitry Skylarev (sp?) wasn't an
open source author, but certainly ran afoul of the DMCA, as a case in point..)

However, as "jamienk" stated, encouraging informed consent for the few open source
apps that might be affected is a GOOD thing, IMO.

Duncan

Madison Avenue?

Posted Apr 2, 2004 6:09 UTC (Fri) by Duncan (guest, #6647) [Link]

> [Europe ahead of the US because "Madison Avenue"
> is an American phenom.]
>
> [M]y being a European [maybe] the reason
> I don't understand this cultural reference.

Probably so. "Madison Avenue" refers to all the big advertising firms, apparently
because at least at one point in US history, most of them had addresses ON "Madison
Avenue", I believe in New York City. I'm enough out of the advertising loop that I don't
know if that's the case any more, or even for sure that the referred to Madison Avenue IS
in NYC, but yes, that's an "Americanism" for big corporate advertising and all the politics
and money put INTO politics BY that system.

Actually, I'd expect that the "economic elite" the world over would probably recognize the
reference, altho it's possible that's inadvertent US-centrism showing. Anyway, that you
didn't recognize it is to me an encouraging sign, that "Madison Avenue" isn't as strong
elsewhere as it unfortunately DOES seem to be here in the US.

From what I read, "the unions" in Europe hold roughly the power "Madison Avenue" does
here, while the unions here don't have nearly the power they once did, and perhaps hold
about the same influence as "corporate advertising" may hold there.

Duncan

(I'm USian by birth and current residence, but grew up as a missionary kid in Africa, and
saw at least a /small/ bit of Europe and the rest of the world as a result of the travels
back and forth. My folks, BTW, now work at an orphanage in El Salvador, with my sister
a doctor at the mission clinic next door. What am I still doing in the US? <g> Anyway, I
like to /think/ at least, that I have a bit better view of the world than most USians. <g>)