Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Software Bug

The Pure Software Act of 2006 261

Posted by michael
from the ideas-whose-time-have-come dept.
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
This discussion has been archived. No new comments can be posted.

The Pure Software Act of 2006

Comments Filter:
  • The 'Evil' Bit (Score:5, Interesting)

    by plover (150551) * on Friday April 09, 2004 @02:56PM (#8819273) Homepage Journal
    I can hear the software vendors right now. "Oh, sure, I'm going to label my software as 'pop-up', that'll bring in the customers, oh, yeah!" More likely, they'll fight it on the grounds of anyone who ever made or makes use of the Yes/No dialog box -- "That's a pop-up, too, make them label their software." Totally meaningless.

    Anyway, did anyone else read this and think immediately of the Evil Bit? The whole thing has got to be a joke, right?

    • Wow, every single Microsoft application I've seen qualifies under at least ONE of these icons:

      Hook, Modify, Remote Control, Self-Updates and even Stuck.

      • by plover (150551) * on Friday April 09, 2004 @03:08PM (#8819452) Homepage Journal
        Hahahaha -- I read your comment and saw the last icon as "Sucks". It worked for me...
      • So? Nearly every program my company writes does all of those as well. And our customers love us for it.

        A program that alters the underlying operating system is not a problem unless it messes something up and then won't fix it. We test our stuff, and if it breaks your machine, we fix it.

        Of course, we have a market of several thousand clients, and not several millions...
        • Re:The 'Evil' Bit (Score:3, Insightful)

          by Glamdrlng (654792)
          So? Nearly every program my company writes does all of those as well. And our customers love us for it. More power to them. The fact that they love you for it implies that they know that you do it. As a consumer, I have a right to know how my machine is going to change when I click setup.exe. How many people do you think would have installed bonzi buddy if they knew all the different crap it did?
    • Re:The 'Evil' Bit (Score:5, Insightful)

      by badasscat (563442) <basscadet75@y a h o o . c om> on Friday April 09, 2004 @03:08PM (#8819448)
      I can hear the software vendors right now. "Oh, sure, I'm going to label my software as 'pop-up', that'll bring in the customers, oh, yeah!" More likely, they'll fight it on the grounds of anyone who ever made or makes use of the Yes/No dialog box -- "That's a pop-up, too, make them label their software." Totally meaningless.

      Oh, I don't know. You could have said the same thing about food labels, but the fact is a lot of the food industry actually wanted them. I would think the same about this. Honest software vendors (which is still the majority of the industry), I would think would jump at the chance to be part of something like this, because it would help distinguish why their software is better than the shyster spamware and adware companies' stuff. I mean what if on the one hand you have Real with a whole bunch of scary icons, and on the other you have Apple with only one or two for QuickTime/iTunes? If I were Apple I'd be very happy about this. That's just one example; the easiest that came to mind. In every category you'd have companies on both sides of the issue, depending on who would benefit; it just depends on who's got the most lobbying power in each specific case.

      And btw, to respond to another early comment, I too wondered initially what a certain musical duo was doing putting forth software regulation recommendations when I first read the posting.
      • Labels - but not. (Score:5, Insightful)

        by Allen Zadr (767458) * <.Allen.Zadr. .at. .gmail.com.> on Friday April 09, 2004 @03:26PM (#8819643) Journal
        One thing that makes this less desirable from a software marketing standpoint is that in the short-term (early adoption), there is no 'negative' labels, where 8 negative labels means that your program could be considered 'safe' computing.

        Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.

        In otherwords, sometimes the labelling will simply get in the way of the whole truth.

      • Re:The 'Evil' Bit (Score:5, Insightful)

        by MoonBuggy (611105) on Friday April 09, 2004 @03:32PM (#8819710) Journal
        This will help with the companies like Limewire who are pretty much legit but morally questionable, which is good.

        Unfortunately, however, the worst spyware/malware I've seen, the stuff that really grinds computers into the ground and makes people call me to fix their computer that 'just broke' is porn browser bars, porn autodialers etc. These are the kind of companies who are just below the bar of complying to the law but still a little way above outright theft. The legislation is a good idea, but what it'll mean is that there's less spyware out there and what does stay active will be all the worse and better hidden too.
      • Aside from the pop-ups one (which may be difficult to "guage"), all of these features could be good or bad depending on the circumstances. The logic being, IF it has a lot of icons, AND you trust the company, then it's still safe to buy.
        OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.

        Example:

        Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.

        I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.

        And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".
      • "lot of the food industry actually wanted them"

        Or not. Or better they just wanted something they can control, and not really regulated in detail.

        Here is an example (theoretical):

        Coke: 200 Cal
        Fat Free Milk: 90 Cal

        Clear labeling? Nope.

        Coke: 100 ml
        Fat Free Milk: 1 Cup

        Which has more calories per volume, and how many times does the Coke have? Good luck. Beter carry your calculator.

        Other:

        Fat is a major source of calories, but human body won't function without it. But Saturated fat converts into cholestero
    • But that's the whole point isn't it.. to be "honest". No I don't mean the sordid implication of honesty from the POV of the producer, it mean it's implication in the context of the consumer.

      Think why some people won't buy foods with Histamine in them -- and what prompts them against doing so. It's the food labels. Back to when the food labels were legislated into compulsion for all food products companies, I'm sure someone could have made an equally good arguement that they could hear the food processor
    • Re:The 'Evil' Bit (Score:3, Insightful)

      by TALlama (462873)
      The solution to this is a 'Clean' icon. If the software has it, it by definition does not have any of the behaviors denoted by the other icons. Trademark all the icons, and make sure that people can only use the 'Clean' icon if the code is verifiably clean (which you can pay to have done for you).
    • More evil bits .... (Score:5, Interesting)

      by Frater 219 (1455) on Friday April 09, 2004 @03:44PM (#8819881) Journal
      It ain't a joke. Honest software makers will indeed likely support it, since it allows them to make clear how their software differs from crapware. I'd go for a few more labels, though, intended to illustrate the intent of the software, so you get what you are paying for.
      • A portcullis. This software filters or alters the content of files or incoming Internet traffic. Web pages you see, for instance, might not represent the exact transmissions of the Web server or the intent of the author. Appropriate to anti-virus software, porn-filtering censorware, privacy software [privoxy.org] ... and adware that replaces ad banners with other ad banners.
      • A police badge. This software runs by default under elevated or superuser ("root" or "Administrator") privilege. (Simply requiring superuser privilege to install the software doesn't count. Creating a dummy user with most of the privileges of the superuser does, though.) Therefore a bug in this software, including a security vulnerability, can affect anything on your computer -- not just the files owned by the user actively using it.
      • A cable plugged into a wall socket. This software accepts incoming network connections in the default configuration. If you do not intend this software to accept traffic from the Internet, you will need to change the configuration or have a firewall.
      • A computer with an arrow through the monitor. This software is designed to be remotely disabled by the publisher under certain circumstances (such as breach of license or expiration of subscription). The fact that it is installed and working today does not imply that it will continue to work without future intervention.
      • A closed mouth with a finger making the "shush" gesture. This software's license forbids or encumbers the publication of reviews without the permission of the publisher. Reviews you may have read of this software may have been selected by the publisher to represent it in an unfairly positive light.
      • A pair of handcuffs. Documents or other files you produce using this software are encumbered by its license, patents, or other proprietary rights of the publisher. Appropriate for a word processor whose file format is patented, or a compiler whose license forbids you to use it to write software that competes with the publisher's other software.
      • by cloak42 (620230)
        A closed mouth with a finger making the "shush" gesture. This software's license forbids or encumbers the publication of reviews without the permission of the publisher. Reviews you may have read of this software may have been selected by the publisher to represent it in an unfairly positive light.

        Any license that would prevent you from reviewing the software is highly illegal. Reviews are explicitly covered under the Fair Use clause of copyright law. So much, in fact, that it's entirely legal to inclu
    • Re:The 'Evil' Bit (Score:5, Insightful)

      by SnappleMaster (465729) on Friday April 09, 2004 @04:58PM (#8820786)
      Yeah this is stupid. Basically people who write this crap-ware would have to have a label that says, in effect: "This software will do something you do not want it to. It will annoy you and may expose personal information. Do yourself a favor and do not install it."

      Plus this is yet another American idea. The Internet is bigger than America. American laws would only protect people from software written in America. What about all the crap-ware that gets written elsewhere?

      Bottom line: I give this idea 9.5 out of 10 stupids.
  • by pudding7 (584715) on Friday April 09, 2004 @02:57PM (#8819279)
    Anyone see the name as "Simon and Garfunkle"?

    I'll go back to work now...
    • by Prince Vegeta SSJ4 (718736) on Friday April 09, 2004 @03:01PM (#8819345)

      Hello Clippy, my old friend,

      I've come to talk with you again,

      Because a exploit softly creeping,

      Left its worms while I was sleeping,

      And the vision that was planted in my brain

      Still remains

      Within the sound of silence.

    • The dude [harvard.edu] even looks like Simon & Garfunkel! [amazon.com]
    • by Fnkmaster (89084) on Friday April 09, 2004 @03:24PM (#8819618)
      My friends and I have a theory about Simpson - his career as a technology writer and pundit is based primarily on the Memorable Name principle (also known as the "American McGee principle"). This phenomenon seems particularly common in the tech industry.


      American McGee is, in my opinion, an emblematic case of this phenomenon. Why was his game called "American McGee's A.L.I.C.E."? Do you ever hear about "John Smith's BullshitGame 2003"? I think not (we won't get into whether or not the game here sucked, which I believe everybody can agree with). Why was Mr. McGee a speaker at so many industry conventions and trade shows? Was it because of his amazing intellect and insights? His colorful lively presentation style? The quality of his work in the gaming industry? No, it's because his fucking name is "American McGee".


      Simpson Garfinkel is a pretty good tech writer. Certainly a lot more knowledgeable than some of the idjits out there. But first and foremost, his success and the attention he gets is because his name is eminently brandable and memorable due to its remarkable resemblence to "Simon and Garfunkle". This works at a subconscious level, from what I've observed, even when people don't immediately note the resemblence of his name - they note what a strange name it is, and they always seem to remember it later if they encounter it again.


      I won't bother getting to all the other examples of this phenomenon at work - some of them are people I know personally who are great people but owe much of their success to this kind of clever branding ("Jennifer 8. Lee" anyone?). The power of this phenomenon is undeniable. We may all sit around and think we are above this kind of low-level marketing manipulation of our brains, but we need to face the facts: we are being manipulated by the Strange Name Mafia into their sick and twisted view of the technology industry.


      Boycott weird-named pundits. Err. Or something.

  • First he writes "Bridge Over Troubled Waters" and now this!!
  • Erm... (Score:5, Insightful)

    by r4bb1t (663244) on Friday April 09, 2004 @02:59PM (#8819317)
    How do they plan on labeling software solely distributed over the internet? I'd venture to say that 90% of the spyware that's out there comes through download-only software (DivX, peer to peer software, etc...).
    • Re:Erm... (Score:2, Interesting)

      by RiotXIX (230569)
      maybe have icons on the installation screen next to the giant terms of Agreement document?
    • Re:Erm... (Score:3, Informative)

      by theghost (156240)
      Require that the icons be prominently displayed on a special confirmation page before purchase or download can occur. Require a similar screen as a part of any installer.

      Trivial.
  • by MacFury (659201) <me&johnkramlich,com> on Friday April 09, 2004 @02:59PM (#8819319) Homepage
    Implementation would be far too much trouble. Developers would fight you at every turn. Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients? Would that carry the same label as a program that logged every keystroke and sent that back?
    • by kawika (87069) on Friday April 09, 2004 @03:07PM (#8819437)
      You missed the point, or more likely did not read the article. Having one of these icons doesn't mean your program is "spyware". It means that your program performs one or more of these functions. Other programs such as virus scanners or keyboard drivers might have them too. The point is to inform users in a concise way of program behaviors that may cause some sort of trouble. The more of these things a program does (like autoupdate or sending back click data) the harder a user should look at the license to be sure they really trust what is going on.
    • Q: Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients?

      A: Yes. Most programs that have a reason to do this already warn you anyway. I didn't see anything specific, but it would be fine if it worked like Ratings that describe WHY they are there. For example, if it listed next to the 'Reports Home' icon a blurb that says 'User controlled system reporting for research' it would be fine. As for who would w
    • by Have Blue (616)
      It just means that you have to inform the user that you are doing that, which you should be doing anyway, using a standard icon or text for "collects performance statistics" as defined by this law.
    • I think you've given an argument against both idea and implementation.

      Differences of interpretation like the example you give are inevitable, also it would be impossible to catalog every example of unexpected and undesirable behavior - changing the clock, tinkering with modem settings... the list is endless.

      I think that in future the early 21st century IT scene will be noted for its curious inability to deal with programs as information. Today it seems perfectly normal to have encrypted (binary) forms of
    • by Cecil (37810) on Friday April 09, 2004 @03:41PM (#8819843) Homepage
      Would my software be spyware if I had it collect general system stats if you choose to register

      Absolutely. If you don't show me every piece of info you're sending through the registration process, it's spyware.

      Are you sending the processor model? How about the MHz? What if I've overclocked? Maybe I don't want you to know that. Does "General system stats" include a list of running processes perhaps?

      If you want to have me send in an automatically-filled out survey about my machine, I might be happy to do that for you, provided I can see and change the answers as needed. It is a survey, right? You are trusting my answers, right? If you covertly sneak some auto-detected information about my system into your registration process, that's spyware.
  • From the guys who divulged KFC's secred recipite. Sorry, I couldn't resist...
  • by Anonymous Coward on Friday April 09, 2004 @03:00PM (#8819328)
    to denote buggy code?
  • Finally (Score:5, Informative)

    by JoeShmoe950 (605274) <CrazyNorman@gmail.com> on Friday April 09, 2004 @03:01PM (#8819347) Homepage
    Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware. You can still right a program which uses 100% CPU Usage and makes everything really slow,etc. for another OS, no matter how secure. Unfortunetly, its targeted at windows. My friend thought that windows XP was horrible because it was running so slow. On a 2ghz, it would take 5 minutes to load IE. I showed him Ad-Aware from lavasoft. It detected 589 spyware objects, quite a few of them different. I found that a big problem with spyware, is not only the spying, yet the fact that it slows your system to a hault. If this works, and makes spyware go away, or atleast well known spyware label itself (such as gator), I will rejoice.
    • That's funny. I run Mozilla/Firefox when I'm forced to boot into XP because of work. Doesn't seem to have the problems with allowing software to be installed just by visiting a site.
      A lot of the problem are things like "Comet Cursor" and "Bonzi Buddy" that promise some cutesey interface tweak or effect, and then co-opt your computer in the process without being terribly forthcoming about it. If they were forced to have a big icon of, say, that guy in Indiana Jones taking people's beating hearts out, I t
      • Re:Finally (Score:3, Insightful)

        by kawika (87069)
        That's funny. I run Mozilla/Firefox when I'm forced to boot into XP because of work. Doesn't seem to have the problems with allowing software to be installed just by visiting a site.
        Right, and having everyone switch browsers would solve the problem. Not. The preferred spyware delivery method would just switch to email, bundling, or social engineering tricks that work well for FireFox. The FireFox download dialog is much less informative than the IE one, for example.
    • Re:Finally (Score:5, Insightful)

      by ThisIsFred (705426) on Friday April 09, 2004 @03:26PM (#8819644) Journal
      Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware.

      Sorry, but that's complete and utter bullshit. My tech team spends too much time cleaning up after malware. I made the mistake of switching our organization over to IE several years ago, mainly due to complaints about compatibility. The majority of these nasty malware programs take advantage of design flaws in IE to enter the system and remain there.

      I'm now testing Netscape 7 as a standard browser. It cannot be modified, or accessed through the operating system as can IE. Therefore, most of the loading schemes used by malware do not work. So IE is definitely part of the problem. IE is part of Windows, so it is Windows' fault. Malware programs modify Windows so that they can run as extensions to the operating system, and no actually up as a process in the process list.
      • "...no actually up as a process..."

        Correction:

        "...not actually show up as a process..."
      • I think the parent poster had it right, and if anything you're arguing for their case, not against it.

        In case you haven't noticed, much as Windows is the overwhelmingly dominant OS, IE is the overwhelmingly dominant browser. That's not to say that IE is without its flaws, and it's not to say that other browsers do have flaws (although they do). But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity. Ease of
        • Re:No... (Score:4, Insightful)

          by ThisIsFred (705426) on Friday April 09, 2004 @07:02PM (#8821722) Journal
          But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity.

          To agree with you, I'd have to accept that popularity, and not design, is what creates security flaws. No, sorry, I'm not buying it. Netscape, with it's 6 major vulnerabilities that have long since been patched, I can sit here and surf all day without picking up any malware. Windows is the problem, and IE is the enabler, if you will. I'm going to be switching our network workstations over to Netscape, and EULA-be-damned, I'm going to find a way to cripple IE.
    • You can still right a program which uses 100% CPU Usage and makes everything really slow,etc. for another OS, no matter how secure.

      And here's the C(++) code to do it.

      here: goto here;

      LK
  • by morelife (213920) <f00fbug&postREMOVETHISman,at> on Friday April 09, 2004 @03:02PM (#8819364)
    to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.


    By opening or removing the seal to this package you agree to abide by the terms explained in the enclosed EULA. By the way, this product contains software code, which, by installing on your computer, could render you utterly defenseless from intrusion, viruses, worms, trojans, popup advertising, loss of data, loss of privacy, NOT TO MENTION putting you on an endless treadmill of planned obsolescence, making you a pawn in the global theater of consumer rape by corporations. Enjoy!! Oh, yeah, we don't guarantee that the software works, and, no refunds.


  • by kawika (87069) on Friday April 09, 2004 @03:02PM (#8819370)
    As that article says, most of the proposals to control spyware get bogged down in trying to define spyware without catching sofware that is clearly legitimate, such as an antivirus program trying to "phone home" automatically to update its virus signatures.

    I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
    • I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.

      Forget intentions, and forget trying to define "spyware". Just use a little ET icon to show that the software phones home, let the marketers say why, and let the user decide. I mean, come one, the user needs to carry some of this burden. Let's not fill software up with idiot labels, shall we?

      So, I say if they stick labels, they should define them by fu

  • Never happen (Score:2, Informative)

    by Anonymous Coward
    As long as we have members of our government like Senator Cantwell (D-Real)

    Read up on how she's bought-and-paid for by a loan from Real Networks - a loan that Ms. Cantwell got to pay for her campaign by using her insider shares she got from Real - and a loan that was supposed to have been called in when Real's stock price tanked.

    And that's just Real - anyone wonder how many Senators, Congressmen, and President's Bill Gates has on his payroll?

  • Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.

    That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.

    Spammers are going to ignore this, just like an unsubscribe link.

    • Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.

      Of course not, but the makers of legitimately well behaved products will. You look at two food cans... one has a label with ingredients and such and the other one doesn't. Which one will you eat?

      This to work would require one or more bodies like the ESRB to test products, assign the correct labeling, and go after abusers.
    • As I understood the article, the idea is to make this obligatory and, presumably subject to legal sanction. If you mislablel a drug, the FDA can cause you a world of grief. This would make the creators of scumware subject to the same level of punishment. The risk could become too great for the reward.
    • Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.

      I don't think this legislation is going after criminals, per se, but software like Gator and the like that are "legitimate" businesses with sleasy tactics. By making such underhanded tactics illegal, it will severely limit how much money etc can be collected by such a scheme. That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operation
    • by kawika (87069) on Friday April 09, 2004 @03:27PM (#8819663)
      You're talking about viruses, and of course anyone who wants to break the law can do so. Right now though, there is a large class of software created by companies that say what they are doing is perfectly legal. They claim that by having a user click OK on a dialog box they can do pretty much anything they want on that user's PC. And they are doing this brazenly, out in the open, and in the clear view of the governing agencies. LOP.COM is one of the most-despised pieces of spyware around and still the guy from C2/LOP has the ballz to file a comment for the upcoming FTC spyware conference saying LOP is the future of Internet advertising [ftc.gov]!

      Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."

      Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?
  • While those with a little more knowledge can block access to their computer or remove harmful software; for Joe User this sounds like a good idea. They'll clearly see what harmful or risky behaviour any particular piece of software can bring with it. Of course many software companies (particularly big ones with an interest in collecting information without necessarily letting people know they're doing that...) would fight it. But if it's legislated then they'd either have to comply, or be a lot more underha
  • I'm interested in an intelligent discussion of ideas in the marketplace, and whether the government should be in the position of enforcing the openness of information. Trolls need not participate; we know how tempting it is for you.

    Basic economic principles, such as supply/demand curves, are based on the principle of a marketplace with "open information": all buyers and sellers know the same things.

    Yet, even when it comes to the FDA ingredients label, we hear companies bitching and moaning and finding ne
    • principle of a marketplace with "open information"

      In most cases, "open information" (or a close approximation) will happen automatically, unless steps are taken to prevent it. Some consumers will examine the products they buy and exchange that information with other potential customers, so the truth quickly gets out. Or secondary businesses will spring up providing reviews of availabile products.

      But in reality, there are often legal obstacles to this free exchange of info: Intellectual Property laws me
      • Nicely laid out points. Thanks you.

        "open information" (or a close approximation) will happen automatically, unless steps are taken to prevent it.

        Something about this sentence bothers me still; otherwise I agree with most everything you say.

        What about the time component here? Information may spread automatically, but does it appear and spread instantaneously? I would argue that it very often does not, especially in the abstract field of information technology.

        In capitalism, the difference between w
  • by maiden_taiwan (516943) * on Friday April 09, 2004 @03:08PM (#8819458)
    Software vendors will have no incentive to put negative labels on their products; even if it's the law, they'll find some loopholes to avoid the labels. Instead, they would have more incentive to use labels that are positive. Instead of making a vendors say, "Yes, I use spyware," it makes more sense to award well-behaved programs a positive seal of approval which means, "This software uses no spyware, is uninstallable, etc."
    • So we need an organization like UL (Underwriters Laboratory) to say this is an OK product. The problem with such a system is that there are no consequences for non-compliance. I'd like a system where a software creaters rights to sue under DCMA, EULA etc are limited if they don't have the Good Software Seal of Approval. If we had such a seal, then the other problem would be getting business to buy into it.

      Hmmmm... If the government mandated that all software purchased by them or used to conduct busines
    • So are you implying that vendors who secretly include spyware should not face penalties? Does a society function well if deceit goes unpunished?

      We could apply the same argument to suggest the removal of FDA food labels. Foods labels could include just "good" information. But then, I'd argue, the health of people would suffer more than with our current system: capitalism rewards those who sell the cheapest products for the greatest profit. I don't see many "health food" items falling into this category
  • When I need a Windows program to do some task, unless there is a program that I know and trust, I always look for a suitable open source solution first.

    Open Source acts as a trust mark. I've never even heard of a spyware program released under the GPL.

    Yes, I may need to use a DOS prompt and run cdrao and vcdimager with a bunch of confusing flags to burn a VCD from my TV tuner card, but it still works, it doesn't notify a database that I like CSI, it doesn't intentionally degrade the output, and I don't

  • by ets960 (759094) on Friday April 09, 2004 @03:11PM (#8819482) Homepage
    Looks like this software contains 36% of my daily value of spam, but it does contain 200% of my daily requirements for internet messaging.
  • article text (Score:5, Informative)

    by Anonymous Coward on Friday April 09, 2004 @03:13PM (#8819503)
    The Pure Software Act of 2006
    100 years ago, Congress passed a law requiring honest labeling of food and drugs. Now the time has come to do the same for software.

    By Simson Garfinkel
    The Net Effect
    April 7, 2004

    Spyware is the scourge of desktop computing. Yes, computer worms and viruses cause billions of dollars in damage every year. But spyware--programs that either record your actions for later retrieval or that automatically report on your actions over the Internet--combines commerce and deception in ways that most of us find morally repugnant.

    Worms and viruses are obviously up to no good: these programs are written by miscreants and released into the wild for no purpose other than wreaking havoc. But most spyware is authored by law-abiding companies, which trick people into installing the programs onto their own computers. Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers. Such programs cause computers to betray the trust of their users.

    Until now, the computer industry has focused on technical means to control the plague of spyware. Search-and-destroy programs such as Ad-Aware will scan your computer for known spyware, tracking cookies, and other items that might compromise your privacy. Once identified, the offending items can be quarantined or destroyed. Firewall programs like ZoneAlarm takes a different approach: they don't stop the spyware from collecting data, but they prevent the programs from transmitting your personal information out over the Internet.

    But there is another way to fight spyware--an approach that would work because the authors are legitimate organizations. Congress could pass legislation requiring that software distributed in the United States come with product labels that would reveal to consumers specific functions built into the programs. Such legislation would likely have the same kind of pro-consumer results as the Pure Food and Drug Act of 1906--the legislation that is responsible for today's labels on food and drugs.

    The Art of Deception

    Mandatory software labeling is a good idea because the fundamental problem with spyware is not the data collection itself, but the act of deception. Indeed, many of the things that spyware does are done also by non-spyware programs. Google's Toolbar for Internet Explorer, for example, reports back to Google which website you are looking at so that the toolbar can display the site's "page rank." But Google goes out of its way to disclose this feature--when you install the program, Google makes you decide whether you want to have your data sent back or not. "Please read this carefully," says the Toolbar's license agreement, "it's not the usual yada yada."

    Spyware, on the other hand, goes out of its way to hide its true purpose. One spyware program claims to automatically set your computer's clock from the atomic clock operated by the U.S. Naval Observatory. Another program displays weather reports customized for your area. Alas, both of these programs also display pop-up advertisements when you go to particular websites. (Some software vendors insist that programs that only display advertisements are not spyware, per se, but rather something called adware, because they display advertisements. Most users don't care about this distinction.)

    Some of these programs hide themselves by not displaying icons when they run and even removing themselves from the list of programs that are running on your computer. I've heard of programs that list themselves in the Microsoft Windows Add/Remove control panel--but when you go to remove them, they don't actually remove themselves, they just make themselves invisible. Sneaky.

    Yet despite this duplicity, most spyware and adware programs aren't breaking any U.S. law. That's because many of these programs disclose what they do and then get the user's explicit consent. They do this with something that's called a click-wr
  • by jonfelder (669529)
    Why not use Mr. Yuck! stickers and icons all software that uses unsavory practices?

    No need to make it complicated...if it's got any characteristics like spyware it's crap and gets a Mr. Yuck. Simple.
  • Warning (Score:2, Insightful)

    by ackthpt (218170) *

    Ingredients: Proprietary code, Spyware, Adware, annoying prompts, unintelligible menu structure, useless or partially imptemented features, inconsistent API implementation and easter eggs (which took time that could have been better used ensuring quality or useful features.) Does not provide sufficient minimum levels of help. May contain traces of any of the following: Bugs, security holes, back doors, memory leaks and bloat. Expiration Date: 2 years after the next version comes out.

  • NO! (Score:5, Interesting)

    by ThisIsFred (705426) on Friday April 09, 2004 @03:18PM (#8819553) Journal
    No thanks. I have more trust for "disinterested" third parties that verify and publish on their own. A more helpful law would be one that protects the researchers (even amateur ones) from harassment (legal or otherwise). It's a slippery slope, it will not end with labeling.

    I *don't* want that to happen with software! I'd much rather retain the right, as fair use, to legally modify crap-ware, and also have the right to discuss the details of that modification with other people.
  • I see this as a step towards obliging software vendors to offer some sort of guarantee, and that IMHO is something that has been a long time coming. For too long, closed-source software vendors have hidden behind the words "No Warranty" and the confidentiality of their source code to avoid acknowledging bugs.

    Open Source software should be perfectly capable of complying with this requirement, since the source code is the guarantee document (you can truthfully state that it will do whatever the source cod
  • will go unused (Score:3, Insightful)

    by s4m7 (519684) on Friday April 09, 2004 @03:19PM (#8819567) Homepage

    The food and drug industry is heavily regulated, and is substantially easier to control than software because producers need to be licensed with various governmental bodies, depending upon the country. Rightfully so, as lives are at stake.

    If this sort of labeling scheme is to achieve widespread adoption, it will need the same sort of tight regulations. I don't believe that the majority of developers would enjoy this at all... imagine having to have upgrade releases and patches approved by the Federal Software Administration, before being allowed to legally distribute it to the public. Throw in the fact that it would take several decades just to get a minority of the world's countries on the same wagon, and consider that most "scumware" (to generalize) comes from outside the U.S.

    It's a great idea, but the execution is all wrong. More appropriate would be to grant developers the ability to have their software approved as "Popup free" or "Doesn't Phone Home" or the inverse of the many other icons that Simson Garfinkel (sounds like a joke) proposes. This legislation would prove a lot harder to fight from an industry perspective.

  • by vegetablespork (575101) <vegetablespork@gmail.com> on Friday April 09, 2004 @03:20PM (#8819581) Homepage
    should be required to be disclosed in a standard manner on the outside of the packaging. Products that require registration or "activation" to run after purchase like TurboTax (last year's--don't know about this year's since I switched to TaxCut) and PowerQuest's recent utilities should be required to carry this disclosure in a standard, readable, consistent format.

    If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.

  • Worst. Act name. Ever.

    A noble idea, with an ignoble name. Reminds me of a Pure Earth movement of some kind.
  • by mw2040 (756223)
    The Pure Food and Drug Act, while seemingly innocuous in its time, paved the way for the current prohibition against certain drugs in the US (and most of the world) and led to all of the excesses and perversions of the government's "War on Drugs". How could this proposal (well-meaning and topical as it seems today) come back and bite us in the future?

    Perhaps deeply immersive and psychologically convincing virtual reality of the future will be deemed to be software with the potential to cause harm and no
  • by brxndxn (461473) on Friday April 09, 2004 @03:25PM (#8819635)
    Ya, I use Windows XP. Even though I have a firewall and keep my patches up to date, I still get adware/spyware once in a while.

    I would get 0 adware/spyware if Microsoft wrote a little bit of security into their operating system in a few ways:

    - Record log of installed files (prompt for any files being installed in non-specified directlories.. ie: If realplayer trys to install realisawesome.dll in C:\windows\system32, WINDOWS itself prompts me.)

    - Prompt for any programs trying to start up with the computer

    - Have only one method for a program starting up with a pretty little 'startup' icon in the control panel

    - Disable IE's install on demand by default (probby most common method for spyware)

    - Allow users to disable popups without a fucking extra program (fuck developers and their incessant popups - MS gives way too much control to them and none to the end user)

    - Have Windows control the uninstall and not some crappy script written by the same company that wrote the crappy software that user wants to uninstall cause' it was crappy

    - Allow the user to enable plugins only when desired (disable flash advertisements and stuff)

    - Quit allowing programs to install a shortcut in startup, the quicklaunch bar, the desktop, every goddamn folder on the computer, favorites, and quit launching a secondary program just to launch a button that launches the main program!!!

    This is how you could fix things in Windows.. Linux is pre-fixed.

    So, you Linux nerds, why the hell aren't we trashing Microsoft in this thread? They're fixing 'security', but not the type of shit Mr. Stupid Enduser cares about.

  • I totally agree with this concept.. In the age of the "shrink wrap license", the groups defining the terms and conditions need to take more responsibility to clarify the terms than they currently do. Who has the time, or the legal knowledge, to wade through 10 pages of legalese before installing some random program? I simply cancel the install when confronted with those licenses, but obviously many people don't.

    The same concept should apply to many areas:

    - DVD, and other future format, movies. The
  • I guess this is a good start, but he states that we should avoid "icon creep." The problem is, the sorts of nastiness that spyware can carry out will likely be lumped up with the same icons that most legitimate software will cover.

    I.E. think about how many icons Mozilla could be required to have on it... it can be set to start at boot with that quickstart icon thing. It can can be set to send data back home if you've set up the Talkback crash reporting, which will likely send back monitoring information on

  • It's difficult to define and enforce this across the swathe of software products, but one way to start is to require it for government purchasing contracts: forcing major vendors (e.g. microsoft _and_ open source vendors!) to start the ball rolling. Once it gets ironed out after a couple of years, then roll it out further.

    Good idea though.

  • by Minna Kirai (624281) on Friday April 09, 2004 @03:45PM (#8819896)
    Like many people, Garkfinkel is proposing a legislative solution to something that'd be better handled technically.

    (Legislative solutions are suboptimal/dangerous for many reasons. They are over-broad, in that they apply even to consenting adults who wish to engage in the behavior without meddlesome government oversight; cf prostitution. And they're too-narrow, in that they can by necessity only apply within the country's legal jurisdiction, whereas software distribution is an international operation)

    Turn now to the second page the Pure Software [technologyreview.com] proposal. The list of potential warning-labels it suggests is: Hook, Dial, Modify, Monitor, Popup, Remote Control, Self-Updates, and Stuck.

    All of those things are basically technical features which a well-designed operating system could prohibit programs from using, without permission. The root of the problem is that even after 30+ years of software publication, most programs are still just completely arbitrary lists of instructions: once they're executing, they do whatever they do, and nothing can stop them.

    The big exception there is that most OSes, at least, restrict programs on a per-user basis. A program cannot read or edit files to which the executing user has no permission. That's an important step, but one that Unix has had firmly in place since the 80s. As time passes, we need to go further: program priviledges should be restricted not just at the per-user level, but also at finer granularity.

    When I download and install a program, I don't want just the option of "run it or don't". I should be able to run it, but without it being able to read any files except those it came with. Or being allowed to read files, but only if I pick them from a system-supplied dialog box. Or read any files, but not write to them, except in a directory I've chosen (and that it can't override). Or write files, but only in specific approved formats (such as those which can't possibly contain executable code). Similar kinds of restrictions suggest themselves for GUI and network areas (including the important points of "phone home" and "data tainting")

    To a small extent, Java frameworks (like "Web Start") have attempted to do this, with a list of features the user can individually permit a program to execute. Microsoft .Net also makes overtures in this direction. It will be a challenge for OS vendors to allow users to have this amount of control, without overwhelming them with so many choices they'll give up and just give full permissions to everythig (in the pattern of "I always run as administrator, because it's the only way to get stuff done"). But those challenges can be surmounted with skilled interface design.

    The best way to prevent software from doing something is to use software that prevents it from doing it. (As Lawrence Lessig said, the best and most effective laws for code are more code [amazon.com])
    • Hmmm...I don't know that I want to work that hard. When I install a new program, I usually don't know very much about it, so it would be rather hard to tell what behaviors are needed. I am a geek, so I could probably get it right most of the time if I took the trouble. Same would be true of reading the EULAs. But most software users are not geeks and letting them pick and choose the options that you suggest seems entirely unworkable regardless of the UI. It might work for you, but it would be a disaste
  • by Lord Kano (13027) on Friday April 09, 2004 @03:56PM (#8820045) Homepage Journal
    the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.

    What's to stop someone from saying "This product may contain one or more of the following; ad-ware, spy-ware, automatic updates, and a chance to win $1,000,000"

    That last item would be enough to entice most people to buy it anyway.

    LK
  • With all of these icons, will there even be ROOM for the logo on the Windows box?
  • Why? (Score:3, Insightful)

    by FreemanPatrickHenry (317847) on Friday April 09, 2004 @04:03PM (#8820142)
    What ever happened to caveat emptor?

    If you don't know what you're buying...don't buy it.
  • by diatonic (318560) on Friday April 09, 2004 @04:16PM (#8820291) Homepage
    Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers.

    So this guy really feels that employers who monitor company computers are spying on their employees? Should closed circuit cameras be taken down to prevent spying on employees? It's a company computer... they can load whetever software they like on it!

    .:diatonic:.
  • by RockyMountain (12635) on Friday April 09, 2004 @04:21PM (#8820373) Homepage
    I like the idea in principle, but see plenty of problems in it's practical impelementation.

    As described, the proposed law would hard-code the concept of using icons to disclose this information. What about fundamentally non-graphical programs (drivers, daemons)? What about overall non-graphical environments (servers, embedded)?

    I fear this scheme would further what is already an increasing problem: that everybody wants to attach a GUI to every program, even if it's totally inappropriate (e.g. printer drivers). The proliferation of spurious GUI interfaces leads to the proliferation of inappropriate design choices in exception reporting (pop-ups instead of log files), configuration methods, etc.

    I'm not anti-GUI, by the way. I'm anti-inappropriate-GUI, and I fear hard-coding icon requirements into every piece of software makes this trend even worse. Immagine if every .deb or .rpm package in your Linux system had a spurious GUI component, just to comply with a well-intentioned but poorly-considered law!

    On the other hand, I would definitely like to see these icons displayed on the labels of software packages and disks, or on the web pages that software is downloaded from.

    Oh, and something the article didn't mention, but I'd propose this ammendment to the act: Make it hard to add any additional icons (i.e. to make the program behavior worse) in upgrades. If any icons are added, the vendor must either (1) continue to support the old version for future bug fixes, security patches, etc., or (2) refund the purchase price to buyers who choose not to continue using the product. (Obviously, there'd have to be a time limit, but long enough to prevent the use of "incrimental-spyware" as a bait-and-switch technique.)
  • by mnemotronic (586021) <mnemotronic@ne[ ]ape.net ['tsc' in gap]> on Friday April 09, 2004 @04:30PM (#8820481) Homepage Journal
    This software product may contain the following:

    logic or programmatic errors; algorithm errors; design errors; unused, invalid, or obsolete code; stolen code; improper, incorrect, or misleading documentation. You, the purchaser or user of this software product, are entirely responsible for any flaws, errors, omissions, or other acts committed by the designers, creators, and implementors of this product during the design, creation, or implementation of said product.

    Use of this product may enable third parties to surreptitiously control your computing environment. You are entirely responsible for the acts of these third parties.

    Special notification for citizens of the United States

    Parts of this product may have been designed or implemented outside the United States by programmers who may not (personally) be friendly to United States interests, and who have, in any case, eliminated the jobs of tax-paying US workers.

    Purchase or use of this software may marginalize, restrict, or eliminate one or more or your constitutionally guaranteed civil rights.

    Use and enjoy!

  • by Alain Williams (2972) <addw@phcomp.co.uk> on Saturday April 10, 2004 @10:04AM (#8824600) Homepage

    • Texas, which taxes doughnuts only if you buy fewer than half a dozen

    I now understand why USA citizens are so fat.

The most exciting phrase to hear in science, the one that heralds new discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac Asimov

Working...