Why? What is in this bill that such a broad coalition of companies took a look at it and didn't like what they saw? The best place to go to understand the new law is Ben Edelman's page, A Close Reading of Utah's Spyware Control Act (H.B.323). He has a clear chart showing in a creative way what the law says, with all its subclauses visually laid out. He consulted with the Utah legislators who prepared the bill, and his take on it is worth reading.
He was mightily surprised to see companies like Yahoo and AOL and Amazon and all the rest united against this bill. He concludes they have misunderstood the bill, and after researching it, I think that is indeed part of the problem. Novell's Vice President and Deputy General Counsel Ryan Richards wrote an Op Ed piece for the local paper about the bill in mid-March, "'Spyware' Bill Would Hurt Net Use", where he lays out the objections that he had to the bill and what he felt would be its unintended consequences. Here's a bit of what he wrote: ". . . the bill in its current form could potentially criminalize some of the most popular consumer software on the market, including popular media players, anti-virus programs, internet services, e-mail programs, and networking software."
After reading the bill itself, however, I believe he misunderstood the law, and I have concluded that the consequences are not unintended but rather precisely what the legislators meant to achieve. They intended that hidden spyware that transmits information about users without their consent, be outlawed. It's a bit like the definition of spam. "Legitimate" advertisers would like us to exempt their mailings from that definition. Now they want us to exempt them from the definition of spyware. The Utah legislators passed a bill that doesn't make that distinction. They are telling all companies to just quit it.
Because Ed Felton's analysis of the bill included the statement, "I have not seen specific examples of legitimate software that would be affected," I asked Novell's Bruce Lowry what products of theirs might be impacted by this bill, if any. He replied that while the bill is written in a vague enough way that he wasn't quite sure, one product might be ZENworks, used to configure machines and update software, including security patches, remotely. You can see a demonstration of ZENworks in a video on Novell's coverage of its recent Brainshare conference. I thought it looked like a wonderful product, but it does have to monitor computer usage to work and it sends reports back to a remote server, "both actions that would appear to make ZENworks 'spyware' under the terms of the legislation," Lowry worries. "The language doesn't distinguish between this type of high value, legitimate monitoring of computer activity from those actions that the legislation is ostensibly targeting - i.e. unsolicited advertising."
That would be an understandable worry, if he were correct that the law outlawed that product and others like it. But my reading of the statute convinces me that the bill only requires companies to let users know how products like ZENworks do what they do, get user consent, which presumably they already do, and make it possible to uninstall ZENworks, if users want to later. How burdensome is that? Further, Section 5 specifically excludes "software designed and installed solely to diagnose or resolve technical difficulties."
The strong reaction to this modest bill -- and you can read a PDF letter written by the companies and organizations that united to oppose it -- makes me heart-sinkingly sure that companies currently do quite a bit of monitoring and that the bill is designed to solve a runaway problem. Obviously, currently there is no law against spyware, except in Utah, although there is a bill being prepared on the federal level, and the FTC is holding hearings in April. Europe is considerably ahead of the US on privacy issues, maybe because Madison Avenue is an American phenomenon.
Might Mr. Richards be referring to that popular media player of the same name that the EU Commission just ordered Microsoft to unbundle, for example? Considering Microsoft Media Player's calling-home features, I'd say "probably." And while everyone has been talking about "benign" and "important and beneficial Internet communication software", that perennial favorite "stifling innovation", and the bill burdening users with notices, as if anybody cared about us anyhow, the truth is more likely to be elsewhere. Might it be that advertisers are worried about their income stream, and that at least some of the objecting parties - who are also entertainment purveyors - want to know exactly what everybody is up to with their music and DVDs and intend to spy to the extent they think they can get away with?
There is also a chilling statement in the letter listing reasons the signatories oppose the bill: "The bill also would create serious barriers to collection of data that Internet companies and security companies use to analyze and prevent hacker attacks on the Internet. This security problem is exacerbated by the fact that computer hackers, and other criminals could refuse to consent to use the software that law enforcement officials need to be able to conduct investigations." What are they saying? That instead of getting court orders to track criminals, which doesn't require their permission, law enforcement officials currently track everybody with commercial spyware? That's the kind of revelation, if that's what they meant, that gives privacy lovers hives.
So, what does the bill outlaw?
First, what it doesn't outlaw. It doesn't say they can't spy on us customers. They just have to tell us, in plain language, what they intend to do and get our consent, and make it possible for us to uninstall whatever we let them put on our computers, if we later change our minds. Before you say no one would ever give consent, think about Google's toolbar. A lot of folks trust Google, and they say yes when Google asks if they can track them. And no, Google's toolbar is not outlawed by this bill, because they comply with the notice and uninstall requirements already. Maybe that's why many trust them.
There is a catch. The victim can't bring a lawsuit. Only website owners, advertisers, and copyright and trademark owners (that elite bunch that legislators adore to write laws for) can sue. The rest of Utah's citizens must report violations to the Division of Consumer Protection, and the agency follows through, hopefully. The Utah legislators need to vote some funding if they are serious about stamping out spyware in Utah.
Ben Edelman tells me it wouldn't surprise him to see exactly that happen in coming years. "I think the bill reflects a good initial attempt to protect consumers and web sites from the many negative effects of spyware programs," he says, "and I think it offers a sensible and workable framework for doing so."
|Created:||March 29, 2004||Updated:||April 1, 2004|
|Description:||Remote buffer overflow vulnerabilities have been found in Courier-IMAP and Courier MTA. These exploits may allow the execution of arbitrary code, allowing unauthorized access to a vulnerable system.|
|Package(s):||emil||CVE #(s):||CAN-2004-0152 CAN-2004-0153|
|Created:||March 25, 2004||Updated:||March 31, 2004|
|Description:||The emil mail filter utility has buffer overflow and format string vulnerabilities that can be exploited locally and remotely, It may be possible to craft an email that exploits the vulnerability and executes arbitrary code.|
|Package(s):||ethereal||CVE #(s):||CAN-2004-0176 CAN-2004-0365 CAN-2004-0367|
|Created:||March 29, 2004||Updated:||June 2, 2004|
|Description:||There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.|
|Created:||March 31, 2004||Updated:||April 19, 2004|
|Description:||The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.
Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.
|Created:||March 29, 2004||Updated:||April 5, 2004|
|Description:||A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and earlier, allowing an attacker to crash the oftpd daemon. Issuing a port command with a number higher than 255 causes the server to crash. The port command may be issued before any authentication takes place, meaning the attacker does not need to know a valid username and password in order to exploit this vulnerability.|
|Created:||March 31, 2004||Updated:||March 31, 2004|
|Description:||Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker.|
|Created:||March 29, 2004||Updated:||March 31, 2004|
|Description:||Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements.|
|Created:||March 29, 2004||Updated:||April 20, 2004|
|Description:||A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs.|
|Package(s):||tcpdump||CVE #(s):||CAN-2004-0183 CAN-2004-0184|
|Created:||March 30, 2004||Updated:||September 30, 2004|
|Description:||TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.|
ResourcesOpen Source Vulnerability Database has opened its virtual doors. "The Open Source Vulnerability Database (OSVDB) is an open project to collect and distribute vulnerability information freely to everyone. The project team contains skilled volunteers working together to document every security vulnerability that arises."
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds