We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Spyware is indeed criminal by its very nature

As US legislators act to make covertly installing spyware on computers illegal, I would be curious to know why Ron Paul thinks otherwise?

Surely installing unrequested spyware is no different than any other unauthorised intrusion onto private property? Is it any different from inviting a travelling salesman into your house only to later discover he covertly installed bugs and hidden cameras when you were not looking so that he could monitor your behaviour for his own benefit?

27 comments to Spyware is indeed criminal by its very nature

  • I expect it’s because the House bill is illegal. Under the US Constitution, Congress has no such power.

  • Crosbie

    According to CNET, Ron Paul believes the federal government should not be policing the internet. I doubt the voyeuristic travelling salesman would be subject to federal law either.

  • How do you figure it’s unconstitutional? Congress has the power to regulate interstate commerce under Article 1, Section 8, so it would seem to me to be clearly constitutional.

  • Richard Bellamy

    There’s “unconstitutional” and then there’s” Ron Paul unconstitutional.” He looked for — and failed to find — the “Spyware Clause”. Other votes for which Ron Paul was the lone dissenter:

    1. a bill to help runaways and exploited children

    2. a bill against “date rape” drugs.

    3. a bill urging Haiti to conduct free and peaceful elections

    4 a bill urging China not to use force against Taiwan

    5. almost every otherwise-unanimous award of a Congressional Medal (waste of money).

  • Walter Wallis

    Sometimes Ron is just against to be against. Like it or not, the internet is a government creation. You don’t like it, do a Ted Turner and open a private, cablebound net.

  • Weebel

    Given the state of the American State, doesn’t it seem appropriate to have at least one (and barely only one) who’s “just against to be against”? God help us when all we have are ‘just’ Democrats and Republicans.

  • Re: private property.

    There are some who would claim your PC is *not* your private property. Sure, you own the silicon and steel box, but the software is licensed to you, and it’s up to Microsoft what they let you run on your machine. If that includes spyware, so be it. This is currently an exaggeration, but don’t doubt that it will come about soon enough.

  • Jonathan Wood

    Ron Paul is easily the most libertarian leaning member of congress and in my opinion this is just one more regulation we do not need. Futhermore the definition of spyware and its implications in interstate commerce are vague at best.

    We need more Ron Paul’s in our government, discouraging individuals such as him is counter productive. Painting him as some sort of arbitrary right-wing nut only enboldens the Kennedy’s, Kerry’s and other statists of our generation.

    I am no fan of spyware, however im certain no matter the amount of legislation there will always be loop holes and technicalities through which it will continue to be used (although in a somewhat different manner).

  • Jacob

    Question to lawyers:
    Couldn’t spyware be prosecuted under some existing laws ? Do we need a new law ? Couldn’t I claim trespassing and sue for damages ? Any lawyer willing to start a class action against spyware ? Since one of the worst offenders is MSN (Microsoft) – wouldn’t a class action against them be interesting ?

  • Albert

    James: “There are some who would claim your PC is *not* your private property. Sure, you own the silicon and steel box, but the software is licensed to you, and it’s up to Microsoft…”

    Another good reason to dump Micosoft and get Linux.

  • ian

    Presumably a bill prohibiting spyware might come into conflict with the Patriot Act? Or does that override everything?

  • Chuck Pelto

    TO: Albert
    RE: Heh…

    “…it’s up to Microsoft…’

    Another good reason to dump Micosoft and get Linux.” — Albert

    I wonder if this legislation will be lobbied against by Microsoft, considering what I understand of their imbedding little thingies in their software that look to me like they’d qualify as spyware.

    Either Linux or a Mac. Or a Mac that runs Linux too.

    Regards,

    Chuck(le)

  • Chuck Pelto

    TO: Ian
    RE: The Patriot Act?

    “… a bill prohibiting spyware might come into conflict with the Patriot Act? Or does that override everything?” — Ian

    I suspect there are provisios for government spying using spyware-esque techniques.

    Regards,

    Chuck(le)

  • Harvey

    I’ve never had any spyware on my machine, and that’s because I actually pay attention to what the popup dialogs on webpages say, among other things. This law will outlaw ‘invisible installation’ spyware but Comet Cursor etc will still be pervasive because of idiots who click everything that they see just to make it go away.

    This law is well-intentioned, but at the end of the day it aims to replace user vigilance with a legal code that will be immediately circumvented by the data collection agencies moving their offices abroad and selling the collected data back to US/UK/whomever companies without restriction, thus instilling a false sense of security in the users. I think that the main reason it was created was because, as stated in the article: “Barton acknowledged that experts had recently found more than 60 varieties of spyware installed on the panel’s own computers.”

    This is reactionary crap with no gain. Administer your own systems effectively: they are a hugely complicated tool and deserve and require a modicum of respect. Rude software and spyware may be becoming the order of the day, but it doesn’t take _much_ vigilance to protect yourself from such intrusions. Systems that process vital and sensitive data should not have an internet connection anyway – the risk is just too great.

  • Sorry Harvey, but to put it bluntly you miss the point spectacularly. It is rather like saying burglary should not be illegal because people can install security systems to keep burglars out. No, the act of even trying to steal something should be illegal (we call it breaking and entering… circumventing my security is ‘breaking’ just as certainly as jemmying open one of my windows is).

    Moreover unless you are completely obsessive, it is almost impossible to avoid all spyware if you surf a great deal.

    No, if someone is trying to steal something from me, my information for example, they should go to jail for just trying to steal it let alone succeeding.

  • Sporklift Driver

    Also Harvey since the crime is performed in the country of the computer owner, moving out of the U.S. would not make the act legal. I would hardly expect the government to attempt to extradite a perpetrator for a single intrusion, any successful spyware will infect millions of machines.

    I keep my own machine clean, but the machine I allow my roommate to use and the machines I share with others at work HAVE been infected sometimes with disastrous and costly results

  • Harvey

    They’re not ‘stealing’ information, Perry. For one, the information wouldn’t _exist_ without the spyware (for it is the spyware which collates and logs the relevant activity and formats it for uploading to the parent server.) Secondarily, the spyware runs with the cooperation of the user (or to put it another way, they can remove it if they wanted to be bothered to learn how, but most don’t care.) You are trying to set a very worrying precedent, namely that the user is NOT RESPONSIBLE for what software installed on their machine and what that software does – and that’s not really a standard I’d like to see being set. That is just another line in the step towards making computers into overblown TV sets that the user is permitted no control over: i.e. if users can’t be asked to take responsibility for what the machine can do, should they be allowed access to such ‘advanced features’ as ‘running non-sanctioned applications’ etcetera.

    What is being said here is ‘people click things and don’t read licence agreements and then don’t want to take responsibility, so we’ll make a law abrogating responsibility, which won’t make any real difference because laws are local and the net is global, but it’ll look good.’

    Spork, if I wanted to get around the legality, I’d incorporate the spyware company in Brazil and set out in the licence clause that it is a copyright offence to use the software outside of that country, but that the software could be hosted or distributed by any sites anywhere. Done/done. Really, people need to stop making laws like this because they totally undermine the legislature – they might as well legislate that the tide isn’t going to come in any more.

  • Tom Jaquish

    1. We are better off policing ourselves than mewing to the government about every sour note on the internet. A congress that will regulate spyware will also regulate content at the demand of constituents.

    2. About 5 times in the past year, I’ve heard it claimed that the government owns the airwaves (and all telecommunications, I suppose). There is no truth to this rumor. Ron Paul is right that the constitution is quite clear that telecommunications belongs to the states or to the people, because no specific regulatory powers were given to the congress. But wait, you say, there is no way those guys in powdered wigs and knickers could have known about electromagnetics. In reply, I’ll refer you to the ninth and tenth amendments.

  • Guy Herbert

    I think Harvey does have a point. Spyware that isn’t invisibly installed without announcement, is no different from the unreasonable clauses that many large organisations insert into their form contracts (“nothing we learn from you is confidential information”, “we have no liability for anything, and even if we do it is limited to $50”, etc).

    I suspect Perry’s normal position on such terms would be if you don’t like the deal don’t take it, even where no individual negotiation were possible and the market is full of firms making identical unacceptible demands.

  • I have no (big) problem with ‘bozoware’ installed by idiots who click on things they reasonably should not… but when spyware tries to install via a script the instant you visit a seemingly innocuous site and is only stopped by software defending the registry from being edited, I think that is tantamount to an attempt at breaking and entering.

    And saying ‘well you should not have scripts turned on’ is like saying it is okay for burglars to rob me because I dared to leave my window open.

  • Harvey

    Perry, it’s not very similar at all really, is it?

    Leaving your window open could well be analogized as leaving your machine on, connected to the net and unfirewalled, but not actually doing anything, just leaving it there. If you did that you’d be (in today’s internet) infected by Nimda or CodeRed or any of the other ‘attack’ viruses which are criminal software created with criminal and malicious intent. This is of course wrong and is illegal.

    But, if you go to a website and a script tries to install spyware? Well, that’s the deal you get in exchange for being able to see whatever it is the site has to offer, isn’t it? In some ways it’s like going into a shop and being buttonholed by a rude salesman who wants to know everything about you – not very inviting, but not illegal. At the end of the day though, your browser (controlled by you) initiated a session with the remote server and obtained the scripts which it was then instructed (albeit as a default setting) to run by you, the user. What those scripts do is your responsibility.

    It’s wrong, it’s reprehensible, it’s politically incorrect but that’s what an unregulated environment is like – anything goes, as long as it’s not blatant theft – and it’s not. I further contend that sites that advertise using spyware and similar ‘dodgy’ methods are rarely ‘clean’ sites – translating to the real world: if you want to swing by the ghetto and buy some crack, pack some heat (or in this case, armour.) If you can’t see where the responsibility lies then I really have no further argument to offer.

  • Well, that’s the deal you get in exchange for being able to see whatever it is the site has to offer, isn’t it?

    No. It is the equivalent of going into a shop, deciding you do like what they have on offer after all, but when you leave, a salesman slips a tracking device in your clothing without telling you. If they say ” the terms and conditions of entering this shop are…”… but they do not, and that is why I say it is criminal behaviour.

    Likewise, leaving scripts enabled (because otherwise your ability to browse is lobotomised) is not like not having no doors on your house, it is like leaving your window open on a hot day because it is just better for you. I leave the window open but have bars up, just as I have a regedit monitor to protect me from spyware messing with my machine. But attempting to saw through my bars is not acceptable.

    …anything goes, as long as it’s not blatant theft – and it’s not

    No, it is indeed blatant theft and anything does not go. Anything goes with prior consent. Anything else is a crime and that is why unannounced spyware is a crime.

  • ian

    There’s a first – I agree wholeheartedly with Perry!

  • Harvey

    I do not believe that in it’s current incatation, flaws included, IE is permitted to download and execute applications that result in the installation of spyware/trojans/whatever on your machine without having to OK at least one dialog first. ActiveX scripts can do a lot but they specifically can’t download executables or modify the registry – for that to happen you either have to have your security settings set to the extremely ill-advised low/none (i.e. giving implicit consent for anyone to do whatever they like – as this is an option you have to specifically set, I consider that informed consent) or they have to present the user with an OK dialog first.

    I am not arguing that spyware that installs totally silently without any warning, dialog etcetera is permissible, as surely it is not.

    I am just trying to say that I do not believe that any such totally-stealthed spyware exists and can be installed without you having to click at least _one_ dialog.

    If there are examples of these totally invisble spywares about then I will condemn them wholeheartedly, but as far as I know there are _none_ – and if you ‘OK’ an ActiveX/download/javascript dialog on a website then you just agreed to any licence agreement that you didn’t bother to read, providing it’s legal. Does this not seem a reasonable position to take?

  • Ron

    One of my cheapest machines was recently infected with the SpyBot code, when I installed Windows XP Service Pack 2 which is supposed to massively increase protection! to complement my existing virus protection.

    (BTW, note that products like the Norton Internet Security package specifically state that you have to disable the Windows Firewall that comes with SP2 to allow their package to work.)

    I have some old freeserve-type email accounts that I monitor very occasionally using Outlook Express with very severe Inbox message-rules to ‘delete-at-server’ anything vaguely spam-like. Anything else unrecognised that got through was kept at bay by disabling the Preview Pane so that the messages were not opened before I had a chance to bulk-delete them unopened from the Inbox.

    What I didn’t know was that installing XP SP2 seems to reset Outlook Express to its default settings including an active Preview Pane, so that when email next appeared in the Inbox the first item in the list was opened automatically.

    Within seconds the Favorites menu had gained a bunch of links to about 30 different groups of hard-core websites and the System folder had received a variety of batch files that opened up FTP sessions to remote servers to upload yet more executables to the PC.

    That PC has now been rebuilt (it was full of old junk anyway) – but it made me wonder about Firewall technology limitations, since the above-mentioned FTP batch files had effectively made my PC actively request the uploads, as opposed to being on the receiving end of unsolicited upload requests.

    Interestingly, I have been able to examine the FTP batch files and use the NBTSTAT program to successfully query the originating remote server (a 5 PC network) – whether my ISP will make anything of the information it yet to be seen.

  • speedwell

    Just because Harvey says it’s so doesn’t mean its so, people. “Stealth” spyware does exist. I use SpybotSD and Ad-Aware to clean it off my computers every few days. SpybotSD, if you know how to configure it, is good at telling me when something tries to change my registry.

    I bet if Harvey downloaded current versions of both those programs and ran them right now, he’d be shocked by what is running on his computer (assuming he runs Windows).

  • Harvey

    I use both Spybot Search&Destroy and Lavasoft’s AdAware, and there’s not one single process, registry key or other thing (apart from all the ad cookies that don’t matter a damn) that shows up in any of the reports: see above – I know how to use my equipment.

    Even without all those helpful tools, it’s not hard just to punch up task manager and look for stuff that’s out of the ordinary. It’s a bit like checking the oil pressure, temperature, etc on your car when you start it every now and then – basic preventative maintenance that no-one bothers to do any more.

    Speedwell, show me some websites/etc that install stealth spyware. Examples please, that when I visit them with the current version of IE (albeit I don’t normally use IE but I’ll concede that most people do) with default security settings (Windows 2k SP4) will install programs and modify my registry without presenting me with any dialog boxes to click or any warning.