User: Password:
Subscribe / Log in / New account


Utah's anti-spyware law

March 31, 2004

By Pamela Jones, Editor of Groklaw

There oughta be a law, as they say, and now there is one in Utah. Yes, Utah is first state in the US to pass legislation banning certain kinds of spyware, the Spyware Control Act, and they took a heap of criticism from the likes of Microsoft and even cuddlier companies like Google, Novell and Amazon, who tried to block it from being passed, but failed. The governor just signed it last week.

Why? What is in this bill that such a broad coalition of companies took a look at it and didn't like what they saw? The best place to go to understand the new law is Ben Edelman's page, A Close Reading of Utah's Spyware Control Act (H.B.323). He has a clear chart showing in a creative way what the law says, with all its subclauses visually laid out. He consulted with the Utah legislators who prepared the bill, and his take on it is worth reading.

He was mightily surprised to see companies like Yahoo and AOL and Amazon and all the rest united against this bill. He concludes they have misunderstood the bill, and after researching it, I think that is indeed part of the problem. Novell's Vice President and Deputy General Counsel Ryan Richards wrote an Op Ed piece for the local paper about the bill in mid-March, "'Spyware' Bill Would Hurt Net Use", where he lays out the objections that he had to the bill and what he felt would be its unintended consequences. Here's a bit of what he wrote: ". . . the bill in its current form could potentially criminalize some of the most popular consumer software on the market, including popular media players, anti-virus programs, internet services, e-mail programs, and networking software."

After reading the bill itself, however, I believe he misunderstood the law, and I have concluded that the consequences are not unintended but rather precisely what the legislators meant to achieve. They intended that hidden spyware that transmits information about users without their consent, be outlawed. It's a bit like the definition of spam. "Legitimate" advertisers would like us to exempt their mailings from that definition. Now they want us to exempt them from the definition of spyware. The Utah legislators passed a bill that doesn't make that distinction. They are telling all companies to just quit it.

Because Ed Felton's analysis of the bill included the statement, "I have not seen specific examples of legitimate software that would be affected," I asked Novell's Bruce Lowry what products of theirs might be impacted by this bill, if any. He replied that while the bill is written in a vague enough way that he wasn't quite sure, one product might be ZENworks, used to configure machines and update software, including security patches, remotely. You can see a demonstration of ZENworks in a video on Novell's coverage of its recent Brainshare conference. I thought it looked like a wonderful product, but it does have to monitor computer usage to work and it sends reports back to a remote server, "both actions that would appear to make ZENworks 'spyware' under the terms of the legislation," Lowry worries. "The language doesn't distinguish between this type of high value, legitimate monitoring of computer activity from those actions that the legislation is ostensibly targeting - i.e. unsolicited advertising."

That would be an understandable worry, if he were correct that the law outlawed that product and others like it. But my reading of the statute convinces me that the bill only requires companies to let users know how products like ZENworks do what they do, get user consent, which presumably they already do, and make it possible to uninstall ZENworks, if users want to later. How burdensome is that? Further, Section 5 specifically excludes "software designed and installed solely to diagnose or resolve technical difficulties."

The strong reaction to this modest bill -- and you can read a PDF letter written by the companies and organizations that united to oppose it -- makes me heart-sinkingly sure that companies currently do quite a bit of monitoring and that the bill is designed to solve a runaway problem. Obviously, currently there is no law against spyware, except in Utah, although there is a bill being prepared on the federal level, and the FTC is holding hearings in April. Europe is considerably ahead of the US on privacy issues, maybe because Madison Avenue is an American phenomenon.

Might Mr. Richards be referring to that popular media player of the same name that the EU Commission just ordered Microsoft to unbundle, for example? Considering Microsoft Media Player's calling-home features, I'd say "probably." And while everyone has been talking about "benign" and "important and beneficial Internet communication software", that perennial favorite "stifling innovation", and the bill burdening users with notices, as if anybody cared about us anyhow, the truth is more likely to be elsewhere. Might it be that advertisers are worried about their income stream, and that at least some of the objecting parties - who are also entertainment purveyors - want to know exactly what everybody is up to with their music and DVDs and intend to spy to the extent they think they can get away with?

There is also a chilling statement in the letter listing reasons the signatories oppose the bill: "The bill also would create serious barriers to collection of data that Internet companies and security companies use to analyze and prevent hacker attacks on the Internet. This security problem is exacerbated by the fact that computer hackers, and other criminals could refuse to consent to use the software that law enforcement officials need to be able to conduct investigations." What are they saying? That instead of getting court orders to track criminals, which doesn't require their permission, law enforcement officials currently track everybody with commercial spyware? That's the kind of revelation, if that's what they meant, that gives privacy lovers hives.

So, what does the bill outlaw?

First, what it doesn't outlaw. It doesn't say they can't spy on us customers. They just have to tell us, in plain language, what they intend to do and get our consent, and make it possible for us to uninstall whatever we let them put on our computers, if we later change our minds. Before you say no one would ever give consent, think about Google's toolbar. A lot of folks trust Google, and they say yes when Google asks if they can track them. And no, Google's toolbar is not outlawed by this bill, because they comply with the notice and uninstall requirements already. Maybe that's why many trust them.

Excluded from the definition of spyware, are programs that diagnose or resolve technical problems, cookies, HTML code, and JavaScript used to report info stored on the user's computer, and operating systems. Plenty of wiggle room there. Anti-virus software and firewalls typically come with licenses that tell you what they do and thus get the necessary consent. The bill also outlaws intrusive ads that block the user's view of "legitimate" paid ads and website content. The liability for those who do it anyway is $10,000 per ad displayed, and that is tripled if the jury thinks they did it on purpose.

There is a catch. The victim can't bring a lawsuit. Only website owners, advertisers, and copyright and trademark owners (that elite bunch that legislators adore to write laws for) can sue. The rest of Utah's citizens must report violations to the Division of Consumer Protection, and the agency follows through, hopefully. The Utah legislators need to vote some funding if they are serious about stamping out spyware in Utah.

Ben Edelman tells me it wouldn't surprise him to see exactly that happen in coming years. "I think the bill reflects a good initial attempt to protect consumers and web sites from the many negative effects of spyware programs," he says, "and I think it offers a sensible and workable framework for doing so."

Comments (22 posted)

New vulnerabilities

courier - Remote buffer overflow vulnerabilities

Package(s):Courier CVE #(s):CAN-2004-0224
Created:March 29, 2004 Updated:April 1, 2004
Description: Remote buffer overflow vulnerabilities have been found in Courier-IMAP and Courier MTA. These exploits may allow the execution of arbitrary code, allowing unauthorized access to a vulnerable system.
Gentoo 200403-06 Courier 2004-03-26

Comments (2 posted)

emil: Buffer overflow and format string vulnerabilities

Package(s):emil CVE #(s):CAN-2004-0152 CAN-2004-0153
Created:March 25, 2004 Updated:March 31, 2004
Description: The emil mail filter utility has buffer overflow and format string vulnerabilities that can be exploited locally and remotely, It may be possible to craft an email that exploits the vulnerability and executes arbitrary code.
Debian DSA-468-1 emil 2004-03-24

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from and in this Eye on Security advisory.
Debian DSA-511-1 ethereal 2004-05-30
OpenPKG OpenPKG-SA-2004.015 ethereal 2004-04-16
Red Hat RHSA-2004:137-01 ethereal 2004-03-31
Mandrake MDKSA-2004:024 ethereal 2004-03-30
Conectiva CLA-2004:835 ethereal 2004-03-31
Red Hat RHSA-2004:136-01 Ethereal 2004-03-30
Netwosix NW-2004-0007 ethereal 2004-03-29
Gentoo 200403-07 ethereal 2004-03-28

Comments (none posted)

monit: buffer overflow and DOS

Package(s):monit CVE #(s):
Created:March 31, 2004 Updated:April 19, 2004
Description: The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.

Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.

Gentoo 200404-16 monit 2004-04-19
Netwosix NW-2004-0008 monit 2004-04-06
Gentoo 200403-14 monit 2004-03-31

Comments (none posted)

oftpd - denial of service

Package(s):oftpd CVE #(s):
Created:March 29, 2004 Updated:April 5, 2004
Description: A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and earlier, allowing an attacker to crash the oftpd daemon. Issuing a port command with a number higher than 255 causes the server to crash. The port command may be issued before any authentication takes place, meaning the attacker does not need to know a valid username and password in order to exploit this vulnerability.
Debian DSA-473-1 oftpd 2004-04-03
Gentoo 200403-08 oftpd 2004-03-29

Comments (1 posted)

openldap: denial of service

Package(s):openldap CVE #(s):
Created:March 31, 2004 Updated:March 31, 2004
Description: Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker.
Gentoo 200403-12 openldap 2004-03-31

Comments (none posted)

pam-pgsql - missing input sanitizing

Package(s):pam-pgsql CVE #(s):CAN-2004-0366
Created:March 29, 2004 Updated:March 31, 2004
Description: Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements.
Debian DSA-469-1 pam-pgsql 2004-03-29

Comments (none posted)

squid - vulnerability in URL decoding

Package(s):squid CVE #(s):CAN-2004-0189
Created:March 29, 2004 Updated:April 20, 2004
Description: A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs.
Whitebox WBSA-2004:133-01 squid 2004-04-19
Fedora FEDORA-2004-104 squid 2004-04-15
Red Hat RHSA-2004:133-01 squid 2004-04-14
Conectiva CLA-2004:838 squid 2004-04-12
Debian DSA-474-1 squid 2004-04-03
OpenPKG OpenPKG-SA-2004.008 squid 2004-04-01
Mandrake MDKSA-2004:025 squid 2004-03-30
Gentoo 200403-11 squid 2004-03-30
Red Hat RHSA-2004:134-01 squid 2004-03-29

Comments (none posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Fedora-Legacy FLSA:1468 tcpdump 2004-09-29
Whitebox WBSA-2004:219-01 tcpdump 2004-06-10
Red Hat RHSA-2004:219-01 tcpdump 2004-05-26
Fedora FEDORA-2004-120 tcpdump 2004-05-13
Slackware SSA:2004-108-01 tcpdump 2004-04-17
Mandrake MDKSA-2004:030 tcpdump 2004-04-14
OpenPKG OpenPKG-SA-2004.010 tcpdump 2004-04-07
Debian DSA-478-1 tcpdump 2004-04-06
Trustix TSLSA-2004-0015 tcpdump, libpcap 2004-03-30

Comments (none posted)


Open Source Vulnerability Database Opens

After some two years in the development process, the Open Source Vulnerability Database has opened its virtual doors. "The Open Source Vulnerability Database (OSVDB) is an open project to collect and distribute vulnerability information freely to everyone. The project team contains skilled volunteers working together to document every security vulnerability that arises."

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds