- This topic is empty.
-
Posts
-
From my mailbox:
* Spyware legislation in Congress. Rep. Bono’s “Securely Protect Yourself
Against Cyber Trespass Act” purports to be tough, and it still seems to have
considerable momentum. But my analysis suggests it’s actually quite a weak
bill — letting many misleading installation methods continue, and granting
enforcement only to the FTC (which so far has been notoriously slow to take
action). See my full analysis:What Hope for Federal Anti-Spyware Legislation?
http://www.benedelman.org/news/011905-1.htmlSecurely Protect Yourself Against Cyber Trespass Act
http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.29:* Spyware legislation in the states. More than a dozen states are
discussing legislation to try to stop spyware. Some of the states propose
approaches I think would actually make a real difference. But nine states
propose to copy the weak approach (indeed, most of the exact language)
California adopted last year. My tabular listing and summaries:State Spyware Legislation
http://www.benedelman.org/spyware/legislation/* Misleading installations continue. I could write a whole newsletter about
misleading installation methods. (Indeed, a few would-be sponsors have
recently encouraged me to do exactly that.) Most outrageous are
installation with no notice or consent at all — like installations through
browser or operating system security holes. But other installations claim
to get user consent. Why would users consent to extra junk they don’t
actually need? Some installations falsely claim to be “required” updates to
Windows, Internet Explorer, or Media Player. Other installations harass
users with repeated popups, leaving no clear choice but to say yes. Still
others offer partial or euphemistic disclosures of their functions — for
example, disclosing that they’ll show ads, but not mentioning that they’ll
send users’ web browsing activity to remote servers for long-term storage
and analysis.Spyware Installed through Security Holes
http://www.benedelman.org/news/111804-1.htmlMedia Files that Spread Spyware
http://www.benedelman.org/news/010205-1.htmlI’ve seen all manner of spyware programs installed in the misleading ways
described above, including programs from firms with major venture capital
backing. See table of spyware investors, and the controversial
characteristics of the companies they’ve invested in:Investors Supporting Spyware
http://www.benedelman.org/spyware/investors/Last week I posted screenshots and videos showing how Google’s Blogspot
service facilitates users’ infection with spyware: Google lets its bloggers
embed JavaScript code that shows deceptive popups, attempting to install
software onto users’ PCs.How Google’s Blogspot Helps Spread Unwanted Software
http://www.benedelman.org/news/022205-1.htmlThen there’s VeriSign. VeriSign makes big money selling the digital
certificates that IE requires before it shows ActiveX “drive-by”
installation prompts. But I’ve seen little sign of any VeriSign procedures
to stop its certificates from being used to trick or defraud users. For
example, VeriSign-issued certificates sign installers that falsely claim to
be security updates. VeriSign’s digital certificate page doesn’t even have
a web form by which harmed consumers can report abuse.How VeriSign Could Stop Drive-By Downloads
http://www.benedelman.org/news/020305-1.html* Claria. In November 2004, I published a critique of Claria’s license —
its deficient format (missing section heading formatting) and one-sided
substantive conditions (prohibiting “unauthorized” removal methods;
prohibiting user inspection of Claria’s transmissions over users’ own
Internet connections). Three months later, these defects remain.Gator’s EULA Gone Bad
http://www.benedelman.org/news/112904-1.htmlReed Freeman, Claria’s new Chief Privacy Officer, was recently appointed to
a Department of Homeland Security committee on information privacy. There’s
considerable irony here — after all, Claria has assembled what eWeek calls
the seventh-largest decision-support database in the world, storing 12.1+
terabytes of information about what web sites its users visit. Meanwhile,
Freeman still has a lot to learn about Claria’s true practices: In a 2004
interview, he made detailed and specific claims about Claria’s installation
and removal procedures, but his claims are inconsistent with my hands-on
testing of Claria software.Privacy Panel Membership Questioned
http://msnbc.msn.com/id/7031597Claria’s Practices Don’t Meet Its Lawyers’ Claims
http://www.benedelman.org/news/010405-1.htmlIn closing, a bit on my plans for the coming months: More testing of spyware
programs that claim affiliate commissions. (Nearly all affiliate merchants
end up paying commissions to spyware companies: Spyware programs intercede
to make it look like they deserve credit for users’ purchases.) More
testing of “second-tier” spyware programs — whose installation methods are
even more outrageous and whose effects are even more damaging. Measurement
of the performance effects (speed reduction, bandwidth requirements, etc.)
of selected spyware programs. Of course, more on misleading and deceptive
installation methods.Let me offer a special welcome to the many readers who signed up since my
last message. You’ll see that I only send these notes once every few
months, lest I intrude in your inboxes too often. But please do feel free
to get in touch with suggestions and requests.Ben Edelman
benedelman.org
