Uniform Computer Information Transactions Act
en.wikipedia.org/wiki/UCITA
I cringe at the thought of it. I worked on UCITA stuff almost 8 years ago, and we thought it was pretty much dead. There was a push for states to pass it as a state law, but it's so very anti-consumer, that only 2 passed it. Now it's back in the form of an anti-spyware bill, S 1625. And this bill is even more anti-consumer - it would allow for remote disabling of your computer if "unauthorized use of software fraudulent or other illegal activities" are found.
No due process, no notice, no nothing.
I'm sorry for the length of the cut and paste, but this is a *very* stealthy maneuver, and I doubt we'll see much coverage of it at all.
I believe this bill would be unconstitutional if passed, but again, if it does pass (and is signed), it would have to be litigated, taking up time and resources.
INFOWORLD GRIPE LINE BY ED FOSTER
www.gripe2ed.com/scoop/sto...1219/71034
Spyware bill cloaks a mini-UCITA
By Ed Foster, Section The Gripelog
Posted on Mon Jun 16, 2008 at 01:02:19 AM PDT
The holy grail for the software industry's political muscle has long been what in UCITA was called "electronic self help" - the right of software publishers to remotely disable their software on the mere suspicion that it hasn't been paid for. UCITA was ultimately stopped, but last Wednesday the Senate Commerce Committee held a hearing on a bill that nominally is supposed to fight spyware but seems intended to make remote disabling legal.
As I suggested last week, S. 1625 -- the Counter Spy Act -- takes an anti-spyware approach that's very similar to the way the failed Can-Spam Act of 2003 attacked spam. Its list of prohibited behaviors - like taking over computers with zombies and collecting information for identity theft -- are all already clearly illegal under existing laws. Its various loopholes would allow some bad actors to claim they're actually following the law. And actual victims would have virtually no recourse but to beg the FTC to take action.
But one aspect of the Counter Spy Act is far more troubling than anything that was in Can-Spam. It's the "Limits on Liability" provision, more specifically Section 6(a). That says the whole laundry list of prohibited acts in the bill:
"do not apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by or at the direction of a telecommunications carrier, cable operator, computer hardware or software provider, financial institution or provider of information services or interactive computer service..."
These institutions have immunity under the Counter Spy Act when what they're doing is done for purposes network security, diagnostics, technical support and other mostly innocuous-sounding activities. In fact, with the first nine of these liability exemptions it seems rather odd that they would need to be mentioned at all in the context of the clearly nefarious behaviors prohibited by the bill. But the tenth and final exemption is granted for when the otherwise prohibited acts are done for:
"(10) detection or prevention of the unauthorized use of software fraudulent or other illegal activities."
Besides the fact that the clause needs a comma or two, what does preventing "the unauthorized use of software" have to do with spyware? Is the Counter Spy Act fighting for privacy or against piracy? To understand the real purpose of 6(a)(10), we need only look at the written testimony of Vincent Weafer, a vice president of Symantec who was representing the Business Software Alliance (BSA) before the committee. The BSA, by the way, was by far the primary lobbyist - some might even say the primary authors -- of UCITA and its electronic self help concept.
Weaver praised Section 6(a) as "a provision allowing legitimate security and anti-piracy activities." Along with the obviously legitimate activities that are provided exemption, he went on to say that "Section 6(a) also covers the detection and prevention of the unauthorized use of software. This is essential to our industry's ability to protect our products against theft. Software piracy results in almost 50 billion dollars in losses to the software industry each year, including more than 8 billion dollars in the US alone. Given these massive losses, it is absolutely critical that companies that engage in otherwise lawful conduct to detect or prevent piracy or other unlawful acts are not unwittingly subject to liability under anti-spyware laws."
OK, but which software providers (not to mention telecommunication carriers, financial institutions, etc.) get to conduct these anti-piracy activities? After all, the spyware purveyors themselves often claim to be authorized software providers who got the user to click OK to their EULA. The troubling questions raised by 6(a)(10) were pointed out to the Senate committee in the written testimony of Art Butler, an attorney representing Americans for Fair Electronic Commerce Transactions (AFFECT). By the way, AFFECT is the organization that stopped UCITA from being passed in any more states after it was rushed into law in Virginia and Maryland. And it's an organization that I've been a member of since its inception, so there's no question whose side I'm on.
Subsection 6(a)(10) would allow a software vendor to surreptitiously download code onto a user's computer and freely violate their privacy, Butler wrote. "It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures. Private entities do not and should not have the right to conduct law enforcement activities. More troubling is the fact that the language of Subsection 6(a)(10) would effectively allow a software provider to unilaterally decide to remotely shut down the user's computer or Internet or other network connection or service. But whether the use of a particular software is 'unauthorized,' 'fraudulent,' or 'illegal' is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement."
AFFECT has a very modest proposal for tweaking 6(a)(10), but on that I personally feel they don't go nearly far enough. Even if 6(a)(10) were removed entirely, the net effect of the Counter Spy Act would still be to make the spyware problem worse. The basic approach of prohibiting a list of specific acts is a fatally flawed way of defining a moving target like spyware. Inevitably, it will let bad guys do bad things that weren't included on the list.
In its hearing last Wednesday the committee clearly struggled with the basic issue of how to define spyware, so perhaps there is hope they'll realize they need a completely different approach. They've been given some good advice in that regard. In his testimony, spyware expert Ben Edelman argued for a radical simplification of S.1625 that would focus on increasing the penalties such as a treble fine in FTC actions. And the FTC itself in its testimony before the Senate committee and in comments last year about similar bills in the House has made it clear it doesn't want new definitions of spyware but the ability to bring civil actions against those it goes after under existing laws.
So who is it that actually wants spyware laws to take this laundry list approach, and why? The only thing I can figure is it's the software industry and perhaps the major ISPs who know they can't have their exemptions if there aren't specific prohibited acts to exempt them from.
Of course, the BSA side also questions the motives behind opposing arguments. Weafer in his testimony warned the Commerce committee that "certain interest groups" would seek to weaken or delete Section 6(a). "The purpose of weakening this provision is not to protect against spyware, but to make it harder for legitimate companies to fight piracy, or other fraudulent or illegal activities," he wrote. "The laudable anti-spyware goals of this Act should not be subverted for this purpose."
Well, I agree with him that the laudable goals of the Counter Spy Act should not be subverted, but I would say the BSA is the certain interest group that is trying to do so for its long-held purpose of legalizing electronic self help. And if you agree with me, you should consider writing your U.S. Senators and telling them that you'd like to see S. 1625 dumped. Congress needs to find ways to help fight spyware, but handing a host of commercial entities unfettered powers over our computers isn't one of them.
en.wikipedia.org/wiki/UCITA
I cringe at the thought of it. I worked on UCITA stuff almost 8 years ago, and we thought it was pretty much dead. There was a push for states to pass it as a state law, but it's so very anti-consumer, that only 2 passed it. Now it's back in the form of an anti-spyware bill, S 1625. And this bill is even more anti-consumer - it would allow for remote disabling of your computer if "unauthorized use of software fraudulent or other illegal activities" are found.
No due process, no notice, no nothing.
I'm sorry for the length of the cut and paste, but this is a *very* stealthy maneuver, and I doubt we'll see much coverage of it at all.
I believe this bill would be unconstitutional if passed, but again, if it does pass (and is signed), it would have to be litigated, taking up time and resources.
INFOWORLD GRIPE LINE BY ED FOSTER
www.gripe2ed.com/scoop/sto...1219/71034
Spyware bill cloaks a mini-UCITA
By Ed Foster, Section The Gripelog
Posted on Mon Jun 16, 2008 at 01:02:19 AM PDT
The holy grail for the software industry's political muscle has long been what in UCITA was called "electronic self help" - the right of software publishers to remotely disable their software on the mere suspicion that it hasn't been paid for. UCITA was ultimately stopped, but last Wednesday the Senate Commerce Committee held a hearing on a bill that nominally is supposed to fight spyware but seems intended to make remote disabling legal.
As I suggested last week, S. 1625 -- the Counter Spy Act -- takes an anti-spyware approach that's very similar to the way the failed Can-Spam Act of 2003 attacked spam. Its list of prohibited behaviors - like taking over computers with zombies and collecting information for identity theft -- are all already clearly illegal under existing laws. Its various loopholes would allow some bad actors to claim they're actually following the law. And actual victims would have virtually no recourse but to beg the FTC to take action.
But one aspect of the Counter Spy Act is far more troubling than anything that was in Can-Spam. It's the "Limits on Liability" provision, more specifically Section 6(a). That says the whole laundry list of prohibited acts in the bill:
"do not apply to any monitoring of, or interaction with, a subscriber's Internet or other network connection or service, or a protected computer, by or at the direction of a telecommunications carrier, cable operator, computer hardware or software provider, financial institution or provider of information services or interactive computer service..."
These institutions have immunity under the Counter Spy Act when what they're doing is done for purposes network security, diagnostics, technical support and other mostly innocuous-sounding activities. In fact, with the first nine of these liability exemptions it seems rather odd that they would need to be mentioned at all in the context of the clearly nefarious behaviors prohibited by the bill. But the tenth and final exemption is granted for when the otherwise prohibited acts are done for:
"(10) detection or prevention of the unauthorized use of software fraudulent or other illegal activities."
Besides the fact that the clause needs a comma or two, what does preventing "the unauthorized use of software" have to do with spyware? Is the Counter Spy Act fighting for privacy or against piracy? To understand the real purpose of 6(a)(10), we need only look at the written testimony of Vincent Weafer, a vice president of Symantec who was representing the Business Software Alliance (BSA) before the committee. The BSA, by the way, was by far the primary lobbyist - some might even say the primary authors -- of UCITA and its electronic self help concept.
Weaver praised Section 6(a) as "a provision allowing legitimate security and anti-piracy activities." Along with the obviously legitimate activities that are provided exemption, he went on to say that "Section 6(a) also covers the detection and prevention of the unauthorized use of software. This is essential to our industry's ability to protect our products against theft. Software piracy results in almost 50 billion dollars in losses to the software industry each year, including more than 8 billion dollars in the US alone. Given these massive losses, it is absolutely critical that companies that engage in otherwise lawful conduct to detect or prevent piracy or other unlawful acts are not unwittingly subject to liability under anti-spyware laws."
OK, but which software providers (not to mention telecommunication carriers, financial institutions, etc.) get to conduct these anti-piracy activities? After all, the spyware purveyors themselves often claim to be authorized software providers who got the user to click OK to their EULA. The troubling questions raised by 6(a)(10) were pointed out to the Senate committee in the written testimony of Art Butler, an attorney representing Americans for Fair Electronic Commerce Transactions (AFFECT). By the way, AFFECT is the organization that stopped UCITA from being passed in any more states after it was rushed into law in Virginia and Maryland. And it's an organization that I've been a member of since its inception, so there's no question whose side I'm on.
Subsection 6(a)(10) would allow a software vendor to surreptitiously download code onto a user's computer and freely violate their privacy, Butler wrote. "It would allow the provider to set itself up as an ad hoc police force to conduct warrantless searches and to act as judge and jury to conduct unilateral seizures. Private entities do not and should not have the right to conduct law enforcement activities. More troubling is the fact that the language of Subsection 6(a)(10) would effectively allow a software provider to unilaterally decide to remotely shut down the user's computer or Internet or other network connection or service. But whether the use of a particular software is 'unauthorized,' 'fraudulent,' or 'illegal' is often subject to legitimate dispute and merits some judicial consideration before a provider is allowed to unilaterally employ a drastic remedy like remote disablement."
AFFECT has a very modest proposal for tweaking 6(a)(10), but on that I personally feel they don't go nearly far enough. Even if 6(a)(10) were removed entirely, the net effect of the Counter Spy Act would still be to make the spyware problem worse. The basic approach of prohibiting a list of specific acts is a fatally flawed way of defining a moving target like spyware. Inevitably, it will let bad guys do bad things that weren't included on the list.
In its hearing last Wednesday the committee clearly struggled with the basic issue of how to define spyware, so perhaps there is hope they'll realize they need a completely different approach. They've been given some good advice in that regard. In his testimony, spyware expert Ben Edelman argued for a radical simplification of S.1625 that would focus on increasing the penalties such as a treble fine in FTC actions. And the FTC itself in its testimony before the Senate committee and in comments last year about similar bills in the House has made it clear it doesn't want new definitions of spyware but the ability to bring civil actions against those it goes after under existing laws.
So who is it that actually wants spyware laws to take this laundry list approach, and why? The only thing I can figure is it's the software industry and perhaps the major ISPs who know they can't have their exemptions if there aren't specific prohibited acts to exempt them from.
Of course, the BSA side also questions the motives behind opposing arguments. Weafer in his testimony warned the Commerce committee that "certain interest groups" would seek to weaken or delete Section 6(a). "The purpose of weakening this provision is not to protect against spyware, but to make it harder for legitimate companies to fight piracy, or other fraudulent or illegal activities," he wrote. "The laudable anti-spyware goals of this Act should not be subverted for this purpose."
Well, I agree with him that the laudable goals of the Counter Spy Act should not be subverted, but I would say the BSA is the certain interest group that is trying to do so for its long-held purpose of legalizing electronic self help. And if you agree with me, you should consider writing your U.S. Senators and telling them that you'd like to see S. 1625 dumped. Congress needs to find ways to help fight spyware, but handing a host of commercial entities unfettered powers over our computers isn't one of them.
posted by:
|
SF Bay Area
|
-
Re: UCITA = bad news
Mon, June 16, 2008 - 9:55 PMUgh. That sounds awful. But I wonder if it is already happening, because a friend of mind claimed that it happened to him. -
-
Re: UCITA = bad news
Mon, June 16, 2008 - 10:06 PMIf your friend lives in Maryland or Virginia, it's possible that it did. Otherwise, I'd have to say that it was something else.... Some weird copyright thing, maybe?
-
Re: UCITA = bad news
Mon, June 16, 2008 - 10:08 PMAlright I've been a lazy computer user so I know nothing about Open Source stuff and Linux or Ubuntu. Is it time to find a way to avoid all this interference from companies? And where does a newbie start. I've been using Macs since 1984 and I don't relish changing but this is really annoying to hear about all the limits on our freedoms associated with just about every bill out of Congress since 9/11/01. And given the current state of the Democratic party, I have my doubts these incursions into freedom will be reversed if they get the presidency this year. -
-
Re: UCITA = bad news
Mon, June 16, 2008 - 10:27 PMHey there Deb --
UCITA pre-dates 9/11. I was working on it in mid-1999. UCITA has been moribund for years, but now it seems to be coming back to life.
I've been flirting with Ubuntu, and I'm a Mac girl as too.... but I think that this goes beyond whether or not all you have on your computer is open source stuff. Just as the RIAA makes mistakes when they try to sue everyone under the sun for copyright violations, mistakes will be made with this too. In this case, who knows how much access you'll have to what's on your computer if it's remotely disabled.
I think this is a case where we have to stop it before it becomes law. It's time to start calling the bill's sponsors. And sadly, Barbara Boxer is one of them!!!! :(
The good news is that I can think of at least three ways to litigate this if it got passed. But man, it'll take years. -
-
Re: UCITA = bad news
Mon, June 16, 2008 - 10:45 PMYes, I agree that its been going on longer...more like from the early PNAC days that laid the groundwork for Reagan. 9/11/01 was a catalyst to use fear against the American public to actually implement the pro-corporation stance in all legislative measures. I wonder how long it would take the US to return to a pre-Reagan level of freedoms. How much effort would be required? I wonder if groups are working on a complete list of any legislation that should be reversed when the Democrats win in November. I bet a government could take a full term with a majority in the House and Senate and still not get through reversing the damage that started with Reagan.
-
-
-
