The Pure Software Act of 2006 261
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
Erm... (Score:5, Insightful)
The idea is great... (Score:5, Insightful)
Perhaps you can get that new Earth government (Score:1, Insightful)
The right way to fight "spyware" (Score:5, Insightful)
I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
Like requiring thieves to pay taxes on thier loot. (Score:4, Insightful)
That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.
Spammers are going to ignore this, just like an unsubscribe link.
Re:Adware/Spyware makes me mad (Score:1, Insightful)
Re:The idea is great... (Score:5, Insightful)
Re:The 'Evil' Bit (Score:5, Insightful)
Oh, I don't know. You could have said the same thing about food labels, but the fact is a lot of the food industry actually wanted them. I would think the same about this. Honest software vendors (which is still the majority of the industry), I would think would jump at the chance to be part of something like this, because it would help distinguish why their software is better than the shyster spamware and adware companies' stuff. I mean what if on the one hand you have Real with a whole bunch of scary icons, and on the other you have Apple with only one or two for QuickTime/iTunes? If I were Apple I'd be very happy about this. That's just one example; the easiest that came to mind. In every category you'd have companies on both sides of the issue, depending on who would benefit; it just depends on who's got the most lobbying power in each specific case.
And btw, to respond to another early comment, I too wondered initially what a certain musical duo was doing putting forth software regulation recommendations when I first read the posting.
Re:Adware/Spyware makes me mad (Score:4, Insightful)
I believe you just made the case for Mac OS X.
Re:The right way to fight "spyware" (Score:3, Insightful)
I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
Forget intentions, and forget trying to define "spyware". Just use a little ET icon to show that the software phones home, let the marketers say why, and let the user decide. I mean, come one, the user needs to carry some of this burden. Let's not fill software up with idiot labels, shall we?
So, I say if they stick labels, they should define them by function rather than buzzword. If the software uses any networking code for *any* reason, then it should have an icon. If it only uses loopback interface, then it gets a "local machine only". And so on and so forth.
Bring back Mr. Yuck! (Score:2, Insightful)
No need to make it complicated...if it's got any characteristics like spyware it's crap and gets a Mr. Yuck. Simple.
Warning (Score:2, Insightful)
Re:Erm... (Score:3, Insightful)
The reason for doing this has as much or more to do with making deceitful software makers accountable as it does with educating the consumer.
Re:Perhaps you can get that new Earth government (Score:1, Insightful)
Re:The idea is great... (Score:3, Insightful)
A: Yes. Most programs that have a reason to do this already warn you anyway. I didn't see anything specific, but it would be fine if it worked like Ratings that describe WHY they are there. For example, if it listed next to the 'Reports Home' icon a blurb that says 'User controlled system reporting for research' it would be fine. As for who would watch this, once the icons are in place it would probably be relatively simple to set up a Consumer Watch Group for this alone. A website listing whether a product is accurately labeled would be the minimum required, though we could easily have more.
As for funding, rights, blah blah blah: we already have a FDA because food and drugs are such an integral part of daily life. Every state has a DMV. For better or worse, the FCC is all over the place watching things. Aren't computers ubiquitous enough for them to monitored yet for consumer protection?
will go unused (Score:3, Insightful)
The food and drug industry is heavily regulated, and is substantially easier to control than software because producers need to be licensed with various governmental bodies, depending upon the country. Rightfully so, as lives are at stake.
If this sort of labeling scheme is to achieve widespread adoption, it will need the same sort of tight regulations. I don't believe that the majority of developers would enjoy this at all... imagine having to have upgrade releases and patches approved by the Federal Software Administration, before being allowed to legally distribute it to the public. Throw in the fact that it would take several decades just to get a minority of the world's countries on the same wagon, and consider that most "scumware" (to generalize) comes from outside the U.S.
It's a great idea, but the execution is all wrong. More appropriate would be to grant developers the ability to have their software approved as "Popup free" or "Doesn't Phone Home" or the inverse of the many other icons that Simson Garfinkel (sounds like a joke) proposes. This legislation would prove a lot harder to fight from an industry perspective.
Copy protection and DRM (Score:5, Insightful)
If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.
Next Gen. of Drug Wars? (Score:2, Insightful)
Perhaps deeply immersive and psychologically convincing virtual reality of the future will be deemed to be software with the potential to cause harm and no redeeming properties. Then the government would be well within its "rights" to prohibit the software's use and impose draconian penalties for possession or distribution (especially if you have the source code).
People in 1906 let the government have say over what they put in their bodies because of fear of contamination (and outright fraud), are we going to let the government have say over what we put on our computers because of fear of ad- and spy-ware?
Re:The sound of silence (Score:5, Insightful)
American McGee is, in my opinion, an emblematic case of this phenomenon. Why was his game called "American McGee's A.L.I.C.E."? Do you ever hear about "John Smith's BullshitGame 2003"? I think not (we won't get into whether or not the game here sucked, which I believe everybody can agree with). Why was Mr. McGee a speaker at so many industry conventions and trade shows? Was it because of his amazing intellect and insights? His colorful lively presentation style? The quality of his work in the gaming industry? No, it's because his fucking name is "American McGee".
Simpson Garfinkel is a pretty good tech writer. Certainly a lot more knowledgeable than some of the idjits out there. But first and foremost, his success and the attention he gets is because his name is eminently brandable and memorable due to its remarkable resemblence to "Simon and Garfunkle". This works at a subconscious level, from what I've observed, even when people don't immediately note the resemblence of his name - they note what a strange name it is, and they always seem to remember it later if they encounter it again.
I won't bother getting to all the other examples of this phenomenon at work - some of them are people I know personally who are great people but owe much of their success to this kind of clever branding ("Jennifer 8. Lee" anyone?). The power of this phenomenon is undeniable. We may all sit around and think we are above this kind of low-level marketing manipulation of our brains, but we need to face the facts: we are being manipulated by the Strange Name Mafia into their sick and twisted view of the technology industry.
Boycott weird-named pundits. Err. Or something.
Labels - but not. (Score:5, Insightful)
Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.
In otherwords, sometimes the labelling will simply get in the way of the whole truth.
Re:Finally (Score:5, Insightful)
Sorry, but that's complete and utter bullshit. My tech team spends too much time cleaning up after malware. I made the mistake of switching our organization over to IE several years ago, mainly due to complaints about compatibility. The majority of these nasty malware programs take advantage of design flaws in IE to enter the system and remain there.
I'm now testing Netscape 7 as a standard browser. It cannot be modified, or accessed through the operating system as can IE. Therefore, most of the loading schemes used by malware do not work. So IE is definitely part of the problem. IE is part of Windows, so it is Windows' fault. Malware programs modify Windows so that they can run as extensions to the operating system, and no actually up as a process in the process list.
Re:Like requiring thieves to pay taxes on thier lo (Score:5, Insightful)
Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."
Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?
Labels aren't going to help (Score:1, Insightful)
The solution is to have intelligent security (e.g. not everyone is the fucking admin user, and your web browser doesn't happily run code from other web sites). It's not rocket science.
Comment removed (Score:5, Insightful)
Who says more icons have to be bad, anyway? (Score:4, Insightful)
OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.
Example:
Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.
I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.
And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".
Re:Finally (Score:3, Insightful)
Re:The idea is great... (Score:3, Insightful)
Re:The 'Evil' Bit (Score:3, Insightful)
Re:The idea is great... (Score:4, Insightful)
Absolutely. If you don't show me every piece of info you're sending through the registration process, it's spyware.
Are you sending the processor model? How about the MHz? What if I've overclocked? Maybe I don't want you to know that. Does "General system stats" include a list of running processes perhaps?
If you want to have me send in an automatically-filled out survey about my machine, I might be happy to do that for you, provided I can see and change the answers as needed. It is a survey, right? You are trusting my answers, right? If you covertly sneak some auto-detected information about my system into your registration process, that's spyware.
We have that for avionics systems... (Score:2, Insightful)
In commercial avionics there is a standard that describes the testing (and other) obligations for a software manufacturer. If you see a product certified to DO-178B level A, you know it can be used for a life-critical purpose. If you see DO-178B level E, you know they only slapped the label on something they developed without any formal development (and testing) process.
If software manufacturer are to be obliged to disclose the amount of spyware they distribute, then they should by the same account disclose how many bugs we expect them to distribute. Just make an-easy-to-go-through certification in order to disclose how well you've tested your software to meet the requirements, and you're in business.
Re:Why aren't we blaming Microsoft? (Score:2, Insightful)
You have to remember that Windows is targeted more towards the Grandma/non-tech-inclined crowd, not the /. crowd. Whereas you would know what this means, Grandma wouldn't have a clue and just click 'Yes' to continue installation so she can watch the halarious video with the cats in it.
Again, "do I want to start up 'ClockSync' at boot? Sounds important, I probably should!" Not to mention that there is no way that they'd break compatibility by removing support for all but one startup method. I do like the idea of a "pretty Startup icon," so long as it incorporates applications from ALL startup methods. (But then, how do you deal with NT Services? You don't really want Grandma disabling the "Windows Audio" service--oops, now sound doesn't work.)
You're probably talking about ActiveX, which can be very useful. The better way to go about this would be if the Code Signing Authorities (VeriSign, etc.) would have more stringent requirements before they sign spamware. (By default, unsigned code won't run.) Unfortunately, with VeriSign, this won't happen anytime soon. (*caugh* SiteFinder *caugh*)
I do beleive the upcoming IE has a built-in popup blocker.
Which is exactly what Windows Installer is designed to do.
Good idea, but Grandma will never use it. The more enlightened will use The Proxomitron anyways.
You can use ACLs to prevent writes to those directories. However, when something tries to write to one of those folders, there could be a prompt along the lines of "Do you want a shortcut to AwesomeShitwareApp installed in the Quick Launch?" Downside: The good apps with nice installers already do this, would piss some people off that they are being asked the same question twice.
Why? (Score:3, Insightful)
If you don't know what you're buying...don't buy it.
Comanies spying on employees? (Score:3, Insightful)
So this guy really feels that employers who monitor company computers are spying on their employees? Should closed circuit cameras be taken down to prevent spying on employees? It's a company computer... they can load whetever software they like on it!
.:diatonic:.
Re:That misses the point somewhat (Score:3, Insightful)
The labels in the article are indeed negative. There is a strongly perceived difference between "This product does something you might not like" and "This product behaves well."
Re:Labels - but not. (Score:5, Insightful)
Re:The right solution would be technical, not lega (Score:3, Insightful)
Re:The sound of silence (Score:2, Insightful)
Additionally, I believe the story goes that he worked as a janitor in the building that ID had their offices in and somehow got his foot in the door that way.
Re:The 'Evil' Bit (Score:5, Insightful)
Plus this is yet another American idea. The Internet is bigger than America. American laws would only protect people from software written in America. What about all the crap-ware that gets written elsewhere?
Bottom line: I give this idea 9.5 out of 10 stupids.
Re:No... (Score:4, Insightful)
To agree with you, I'd have to accept that popularity, and not design, is what creates security flaws. No, sorry, I'm not buying it. Netscape, with it's 6 major vulnerabilities that have long since been patched, I can sit here and surf all day without picking up any malware. Windows is the problem, and IE is the enabler, if you will. I'm going to be switching our network workstations over to Netscape, and EULA-be-damned, I'm going to find a way to cripple IE.
Re:The 'Evil' Bit (Score:3, Insightful)
However, bad software practises that discourage freedom and innovation? Please when you make these claims back them up. Like the OS X microkernal being open source? Like giving significant help and assistance to the KHTML engine in return for its implementation in Safari (which increases its usage in the wild by many magnitudes)?
Sure, corporate entities keep secrets, and some of these secrets relate to software, but guess what? These things cost money to make, and if Apple were to give away all the stuff it worked hard on then its 11,000 employees would be literally going hungry.
As far as fair play with ITunes Music Store, you are being WILDLY unfair - the terms, by any normal standards - are unobtrusive. You can use your music on more than one computer (three) you can use your music in your movies and DVD's (if you use iMovie and iDVD on your Mac), you can burn your tunes to CD as many times as you wish. Tell me of one other large commercial online music store with better DRM than this. Apple should, in fact must, be congratulated on forcing the RIAA and the labels to bend this far - no one else even got close.
Re:Why? (Score:4, Insightful)
So, you believe you shouldn't buy something if you don't know what it does, but are against a requirement that forces the maker to explain what it does?
EULA screen, above the fold (Score:2, Insightful)
For downloaded programs, how about putting the warning label on the installer's EULA screen, above the fold? (The "fold", in human interface design, is the first line of text not visible in the initial state of a scrolling text box.)
Re:The 'Evil' Bit (Score:3, Insightful)