The Pure Software Act of 2006

lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."

Erm...

[r4bb1t]

How do they plan on labeling software solely distributed over the internet? I'd venture to say that 90% of the spyware that's out there comes through download-only software (DivX, peer to peer software, etc...).

The idea is great...

[MacFury]

Implementation would be far too much trouble. Developers would fight you at every turn. Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients? Would that carry the same label as a program that logged every keystroke and sent that back?

Perhaps you can get that new Earth government

[Anonymous Coward]

To implement it. Software is created internationally, especially some of the riskier/more questionable stuff. Congress can pass laws all the want, but it's going to be difficult to get a programmer in Uzbekistanajanina to follow.

The right way to fight "spyware"

[kawika]

As that article says, most of the proposals to control spyware get bogged down in trying to define spyware without catching sofware that is clearly legitimate, such as an antivirus program trying to "phone home" automatically to update its virus signatures.

I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.

Like requiring thieves to pay taxes on thier loot.

[teamhasnoi]

Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.

That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.

Spammers are going to ignore this, just like an unsubscribe link.

Re:Adware/Spyware makes me mad

[jb_davis]

The people who get spyware are the stupid and the elderly. Switching to linux would make things even worse for them.

Re:The idea is great...

[kawika]

You missed the point, or more likely did not read the article. Having one of these icons doesn't mean your program is "spyware". It means that your program performs one or more of these functions. Other programs such as virus scanners or keyboard drivers might have them too. The point is to inform users in a concise way of program behaviors that may cause some sort of trouble. The more of these things a program does (like autoupdate or sending back click data) the harder a user should look at the license to be sure they really trust what is going on.

Re:The 'Evil' Bit

[badasscat]

I can hear the software vendors right now. "Oh, sure, I'm going to label my software as 'pop-up', that'll bring in the customers, oh, yeah!" More likely, they'll fight it on the grounds of anyone who ever made or makes use of the Yes/No dialog box -- "That's a pop-up, too, make them label their software." Totally meaningless.

Oh, I don't know. You could have said the same thing about food labels, but the fact is a lot of the food industry actually wanted them. I would think the same about this. Honest software vendors (which is still the majority of the industry), I would think would jump at the chance to be part of something like this, because it would help distinguish why their software is better than the shyster spamware and adware companies' stuff. I mean what if on the one hand you have Real with a whole bunch of scary icons, and on the other you have Apple with only one or two for QuickTime/iTunes? If I were Apple I'd be very happy about this. That's just one example; the easiest that came to mind. In every category you'd have companies on both sides of the issue, depending on who would benefit; it just depends on who's got the most lobbying power in each specific case.

And btw, to respond to another early comment, I too wondered initially what a certain musical duo was doing putting forth software regulation recommendations when I first read the posting.

Re:Adware/Spyware makes me mad

[gumpish]

The people who get spyware are the stupid and the elderly. Switching to linux would make things even worse for them.

I believe you just made the case for Mac OS X.

Re:The right way to fight "spyware"

[fucksl4shd0t]

I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.

Forget intentions, and forget trying to define "spyware". Just use a little ET icon to show that the software phones home, let the marketers say why, and let the user decide. I mean, come one, the user needs to carry some of this burden. Let's not fill software up with idiot labels, shall we?

So, I say if they stick labels, they should define them by function rather than buzzword. If the software uses any networking code for *any* reason, then it should have an icon. If it only uses loopback interface, then it gets a "local machine only". And so on and so forth.

Bring back Mr. Yuck!

[jonfelder]

Why not use Mr. Yuck! stickers and icons all software that uses unsavory practices?

No need to make it complicated...if it's got any characteristics like spyware it's crap and gets a Mr. Yuck. Simple.

Warning

[ackthpt]

Ingredients: Proprietary code, Spyware, Adware, annoying prompts, unintelligible menu structure, useless or partially imptemented features, inconsistent API implementation and easter eggs (which took time that could have been better used ensuring quality or useful features.) Does not provide sufficient minimum levels of help. May contain traces of any of the following: Bugs, security holes, back doors, memory leaks and bloat. Expiration Date: 2 years after the next version comes out.

Re:Erm...

[theghost]

It is of the benefit that they would be in compliance with the law and wouldn't get fined by the government. The cost of implementation is as trivial as the process itself, therefore they would have little excuse for not doing it.

The reason for doing this has as much or more to do with making deceitful software makers accountable as it does with educating the consumer.

Re:Perhaps you can get that new Earth government

[Anonymous Coward]

Food is created internationally too and it wasn't much of a problem getting foteign manufacturers to label it... If they want to sell the stuff in the U.S they label it after U.S rules, and so will software manufacturers.

Re:The idea is great...

[NaugaHunter]

Q: Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients?

A: Yes. Most programs that have a reason to do this already warn you anyway. I didn't see anything specific, but it would be fine if it worked like Ratings that describe WHY they are there. For example, if it listed next to the 'Reports Home' icon a blurb that says 'User controlled system reporting for research' it would be fine. As for who would watch this, once the icons are in place it would probably be relatively simple to set up a Consumer Watch Group for this alone. A website listing whether a product is accurately labeled would be the minimum required, though we could easily have more.

As for funding, rights, blah blah blah: we already have a FDA because food and drugs are such an integral part of daily life. Every state has a DMV. For better or worse, the FCC is all over the place watching things. Aren't computers ubiquitous enough for them to monitored yet for consumer protection?

will go unused

[s4m7]

The food and drug industry is heavily regulated, and is substantially easier to control than software because producers need to be licensed with various governmental bodies, depending upon the country. Rightfully so, as lives are at stake.

If this sort of labeling scheme is to achieve widespread adoption, it will need the same sort of tight regulations. I don't believe that the majority of developers would enjoy this at all... imagine having to have upgrade releases and patches approved by the Federal Software Administration, before being allowed to legally distribute it to the public. Throw in the fact that it would take several decades just to get a minority of the world's countries on the same wagon, and consider that most "scumware" (to generalize) comes from outside the U.S.

It's a great idea, but the execution is all wrong. More appropriate would be to grant developers the ability to have their software approved as "Popup free" or "Doesn't Phone Home" or the inverse of the many other icons that Simson Garfinkel (sounds like a joke) proposes. This legislation would prove a lot harder to fight from an industry perspective.

Copy protection and DRM

[vegetablespork]

should be required to be disclosed in a standard manner on the outside of the packaging. Products that require registration or "activation" to run after purchase like TurboTax (last year's--don't know about this year's since I switched to TaxCut) and PowerQuest's recent utilities should be required to carry this disclosure in a standard, readable, consistent format.

If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.

Next Gen. of Drug Wars?

[mw2040]

The Pure Food and Drug Act, while seemingly innocuous in its time, paved the way for the current prohibition against certain drugs in the US (and most of the world) and led to all of the excesses and perversions of the government's "War on Drugs". How could this proposal (well-meaning and topical as it seems today) come back and bite us in the future?

Perhaps deeply immersive and psychologically convincing virtual reality of the future will be deemed to be software with the potential to cause harm and no redeeming properties. Then the government would be well within its "rights" to prohibit the software's use and impose draconian penalties for possession or distribution (especially if you have the source code).

People in 1906 let the government have say over what they put in their bodies because of fear of contamination (and outright fraud), are we going to let the government have say over what we put on our computers because of fear of ad- and spy-ware?

Re:The sound of silence

[Fnkmaster]

My friends and I have a theory about Simpson - his career as a technology writer and pundit is based primarily on the Memorable Name principle (also known as the "American McGee principle"). This phenomenon seems particularly common in the tech industry.

American McGee is, in my opinion, an emblematic case of this phenomenon. Why was his game called "American McGee's A.L.I.C.E."? Do you ever hear about "John Smith's BullshitGame 2003"? I think not (we won't get into whether or not the game here sucked, which I believe everybody can agree with). Why was Mr. McGee a speaker at so many industry conventions and trade shows? Was it because of his amazing intellect and insights? His colorful lively presentation style? The quality of his work in the gaming industry? No, it's because his fucking name is "American McGee".

Simpson Garfinkel is a pretty good tech writer. Certainly a lot more knowledgeable than some of the idjits out there. But first and foremost, his success and the attention he gets is because his name is eminently brandable and memorable due to its remarkable resemblence to "Simon and Garfunkle". This works at a subconscious level, from what I've observed, even when people don't immediately note the resemblence of his name - they note what a strange name it is, and they always seem to remember it later if they encounter it again.

I won't bother getting to all the other examples of this phenomenon at work - some of them are people I know personally who are great people but owe much of their success to this kind of clever branding ("Jennifer 8. Lee" anyone?). The power of this phenomenon is undeniable. We may all sit around and think we are above this kind of low-level marketing manipulation of our brains, but we need to face the facts: we are being manipulated by the Strange Name Mafia into their sick and twisted view of the technology industry.

Boycott weird-named pundits. Err. Or something.

Labels - but not.

[Allen Zadr]

One thing that makes this less desirable from a software marketing standpoint is that in the short-term (early adoption), there is no 'negative' labels, where 8 negative labels means that your program could be considered 'safe' computing.

Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.

In otherwords, sometimes the labelling will simply get in the way of the whole truth.

Re:Finally

[ThisIsFred]

Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware.

Sorry, but that's complete and utter bullshit. My tech team spends too much time cleaning up after malware. I made the mistake of switching our organization over to IE several years ago, mainly due to complaints about compatibility. The majority of these nasty malware programs take advantage of design flaws in IE to enter the system and remain there.

I'm now testing Netscape 7 as a standard browser. It cannot be modified, or accessed through the operating system as can IE. Therefore, most of the loading schemes used by malware do not work. So IE is definitely part of the problem. IE is part of Windows, so it is Windows' fault. Malware programs modify Windows so that they can run as extensions to the operating system, and no actually up as a process in the process list.

Re:Like requiring thieves to pay taxes on thier lo

[kawika]

You're talking about viruses, and of course anyone who wants to break the law can do so. Right now though, there is a large class of software created by companies that say what they are doing is perfectly legal. They claim that by having a user click OK on a dialog box they can do pretty much anything they want on that user's PC. And they are doing this brazenly, out in the open, and in the clear view of the governing agencies. LOP.COM is one of the most-despised pieces of spyware around and still the guy from C2/LOP has the ballz to file a comment for the upcoming FTC spyware conference saying LOP is the future of Internet advertising [ftc.gov]!

Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."

Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?

Labels aren't going to help

[Anonymous Coward]

Spyware doesn't come with the products you buy in a store. It comes from web pages in the form of activex driveby installers, with crappy software "bundles" in p2p programs, and so forth. The techniques used to install are deceptive, and will work around whatever laws you try to put on them.

The solution is to have intelligent security (e.g. not everyone is the fucking admin user, and your web browser doesn't happily run code from other web sites). It's not rocket science.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Who says more icons have to be bad, anyway?

[Ayanami Rei]

Aside from the pop-ups one (which may be difficult to "guage"), all of these features could be good or bad depending on the circumstances. The logic being, IF it has a lot of icons, AND you trust the company, then it's still safe to buy.
OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.

Example:

Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.

I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.

And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".

Re:Finally

[kawika]

That's funny. I run Mozilla/Firefox when I'm forced to boot into XP because of work. Doesn't seem to have the problems with allowing software to be installed just by visiting a site.

Right, and having everyone switch browsers would solve the problem. Not. The preferred spyware delivery method would just switch to email, bundling, or social engineering tricks that work well for FireFox. The FireFox download dialog is much less informative than the IE one, for example.

Re:The idea is great...

[Have Blue]

It just means that you have to inform the user that you are doing that, which you should be doing anyway, using a standard icon or text for "collects performance statistics" as defined by this law.

Re:The 'Evil' Bit

[TALlama]

The solution to this is a 'Clean' icon. If the software has it, it by definition does not have any of the behaviors denoted by the other icons. Trademark all the icons, and make sure that people can only use the 'Clean' icon if the code is verifiably clean (which you can pay to have done for you).

Re:The idea is great...

[Cecil]

Would my software be spyware if I had it collect general system stats if you choose to register

Absolutely. If you don't show me every piece of info you're sending through the registration process, it's spyware.

Are you sending the processor model? How about the MHz? What if I've overclocked? Maybe I don't want you to know that. Does "General system stats" include a list of running processes perhaps?

If you want to have me send in an automatically-filled out survey about my machine, I might be happy to do that for you, provided I can see and change the answers as needed. It is a survey, right? You are trusting my answers, right? If you covertly sneak some auto-detected information about my system into your registration process, that's spyware.

We have that for avionics systems...

[C.]

...why not do a similar thing for everyday software?

In commercial avionics there is a standard that describes the testing (and other) obligations for a software manufacturer. If you see a product certified to DO-178B level A, you know it can be used for a life-critical purpose. If you see DO-178B level E, you know they only slapped the label on something they developed without any formal development (and testing) process.

If software manufacturer are to be obliged to disclose the amount of spyware they distribute, then they should by the same account disclose how many bugs we expect them to distribute. Just make an-easy-to-go-through certification in order to disclose how well you've tested your software to meet the requirements, and you're in business.

Re:Why aren't we blaming Microsoft?

[josh3736]

- Record log of installed files (prompt for any files being installed in non-specified directlories.. ie: If realplayer trys to install realisawesome.dll in C:\windows\system32, WINDOWS itself prompts me.)

You have to remember that Windows is targeted more towards the Grandma/non-tech-inclined crowd, not the /. crowd. Whereas you would know what this means, Grandma wouldn't have a clue and just click 'Yes' to continue installation so she can watch the halarious video with the cats in it.

- Prompt for any programs trying to start up with the computer
- Have only one method for a program starting up with a pretty little 'startup' icon in the control panel

Again, "do I want to start up 'ClockSync' at boot? Sounds important, I probably should!" Not to mention that there is no way that they'd break compatibility by removing support for all but one startup method. I do like the idea of a "pretty Startup icon," so long as it incorporates applications from ALL startup methods. (But then, how do you deal with NT Services? You don't really want Grandma disabling the "Windows Audio" service--oops, now sound doesn't work.)

- Disable IE's install on demand by default (probby most common method for spyware)

You're probably talking about ActiveX, which can be very useful. The better way to go about this would be if the Code Signing Authorities (VeriSign, etc.) would have more stringent requirements before they sign spamware. (By default, unsigned code won't run.) Unfortunately, with VeriSign, this won't happen anytime soon. (*caugh* SiteFinder *caugh*)

- Allow users to disable popups without a fucking extra program (fuck developers and their incessant popups - MS gives way too much control to them and none to the end user)

I do beleive the upcoming IE has a built-in popup blocker.

- Have Windows control the uninstall and not some crappy script written by the same company that wrote the crappy software that user wants to uninstall cause' it was crappy

Which is exactly what Windows Installer is designed to do.

- Allow the user to enable plugins only when desired (disable flash advertisements and stuff)

Good idea, but Grandma will never use it. The more enlightened will use The Proxomitron anyways.

- Quit allowing programs to install a shortcut in startup, the quicklaunch bar, the desktop, every goddamn folder on the computer, favorites, and quit launching a secondary program just to launch a button that launches the main program!!!

You can use ACLs to prevent writes to those directories. However, when something tries to write to one of those folders, there could be a prompt along the lines of "Do you want a shortcut to AwesomeShitwareApp installed in the Quick Launch?" Downside: The good apps with nice installers already do this, would piss some people off that they are being asked the same question twice.

Why?

[FreemanPatrickHenry]

What ever happened to caveat emptor?

If you don't know what you're buying...don't buy it.

Comanies spying on employees?

[diatonic]

Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers.

So this guy really feels that employers who monitor company computers are spying on their employees? Should closed circuit cameras be taken down to prevent spying on employees? It's a company computer... they can load whetever software they like on it!

.:diatonic:.

Re:That misses the point somewhat

[maiden_taiwan]

No, a positive "seal of approval" is much easier to think about than a slew of negative labels. It's just one thing, and it says "All is OK."

The labels in the article are indeed negative. There is a strongly perceived difference between "This product does something you might not like" and "This product behaves well."

Re:Labels - but not.

[The_K4]

Which also brings up the point of software you download...no packaging! Do they need to put the icons on the linking page? All linking pages? On the google search replies? MOST spy-ware/ad-ware software isn't purchsed or packaged!

Re:The right solution would be technical, not lega

[lurker412]

Hmmm...I don't know that I want to work that hard. When I install a new program, I usually don't know very much about it, so it would be rather hard to tell what behaviors are needed. I am a geek, so I could probably get it right most of the time if I took the trouble. Same would be true of reading the EULAs. But most software users are not geeks and letting them pick and choose the options that you suggest seems entirely unworkable regardless of the UI. It might work for you, but it would be a disaster for most.

Re:The sound of silence

[Mskpath3]

Actually, all the hype behind American McGee came from the fact that he was an ex-ID level designer (famously responsible for the classic multiplayer map dm4). At the time (when American McGee's Alice kicked off development) that was a pretty trendy/cool label to have.

Additionally, I believe the story goes that he worked as a janitor in the building that ID had their offices in and somehow got his foot in the door that way.

Re:The 'Evil' Bit

[SnappleMaster]

Yeah this is stupid. Basically people who write this crap-ware would have to have a label that says, in effect: "This software will do something you do not want it to. It will annoy you and may expose personal information. Do yourself a favor and do not install it."

Plus this is yet another American idea. The Internet is bigger than America. American laws would only protect people from software written in America. What about all the crap-ware that gets written elsewhere?

Bottom line: I give this idea 9.5 out of 10 stupids.

Re:No...

[ThisIsFred]

But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity.

To agree with you, I'd have to accept that popularity, and not design, is what creates security flaws. No, sorry, I'm not buying it. Netscape, with it's 6 major vulnerabilities that have long since been patched, I can sit here and surf all day without picking up any malware. Windows is the problem, and IE is the enabler, if you will. I'm going to be switching our network workstations over to Netscape, and EULA-be-damned, I'm going to find a way to cripple IE.

Re:The 'Evil' Bit

[Nexum]

I've never had the png problem you speak of so I can't comment on that - surely associating the .png extension with something other than Quicktime will fix it though.

However, bad software practises that discourage freedom and innovation? Please when you make these claims back them up. Like the OS X microkernal being open source? Like giving significant help and assistance to the KHTML engine in return for its implementation in Safari (which increases its usage in the wild by many magnitudes)?

Sure, corporate entities keep secrets, and some of these secrets relate to software, but guess what? These things cost money to make, and if Apple were to give away all the stuff it worked hard on then its 11,000 employees would be literally going hungry.

As far as fair play with ITunes Music Store, you are being WILDLY unfair - the terms, by any normal standards - are unobtrusive. You can use your music on more than one computer (three) you can use your music in your movies and DVD's (if you use iMovie and iDVD on your Mac), you can burn your tunes to CD as many times as you wish. Tell me of one other large commercial online music store with better DRM than this. Apple should, in fact must, be congratulated on forcing the RIAA and the labels to bend this far - no one else even got close.

Re:Why?

[mikeswi]

"If you don't know what you're buying...don't buy it."

So, you believe you shouldn't buy something if you don't know what it does, but are against a requirement that forces the maker to explain what it does?

EULA screen, above the fold

[tepples]

For downloaded programs, how about putting the warning label on the installer's EULA screen, above the fold? (The "fold", in human interface design, is the first line of text not visible in the initial state of a scrolling text box.)

Re:The 'Evil' Bit

[Glamdrlng]

So? Nearly every program my company writes does all of those as well. And our customers love us for it. More power to them. The fact that they love you for it implies that they know that you do it. As a consumer, I have a right to know how my machine is going to change when I click setup.exe. How many people do you think would have installed bonzi buddy if they knew all the different crap it did?