One of the many problems facing security engineers is warning fatigue – the tendency of users who have seen too many security warnings to start ignoring the warnings altogether. Good designers think carefully about every warning they display, knowing that each added warning will dilute the warnings that were already there.
Warning fatigue is a significant security problem today. Users are so conditioned to warning boxes that they click them away, unread, as if instinctively swatting a fly.
Which brings us to H.R. 2752, the “Author, Consumer, and Computer Owner Protection and Security (ACCOPS) Act of 2003”, introduced in the House of Representatives in July, and discussed by Declan McCullagh in his latest column. The bill would require a security warning, and user consent, before allowing the download of any “software that, when installed on the user’s computer, enables 3rd parties to store data on that computer, or use that computer to search other computers’ contents over the Internet.”
Most users already know that downloading software is potentially risky. Most users are already accustomed to swatting away warning boxes telling them so. One more warning is unlikely to deter the would-be KaZaa downloader.
This is especially true given that the same warning would have to be placed on many other types of programs that meet the bill’s criteria, including operating systems and web browsers. The ACCOPS warning will be just another of those dialog boxes that nobody reads.
Another question to ask on this bill is whether it is an intended fix-up to copyright law. If so, Jessica Litman’s documentation of the history of copyright law would lead us to believe that a large number of the stakeholders would need to agree to it in order to pass it. Otherwise, we can expect it to be quashed in committee.
Another tidbit: this bill may actually be an attempt to protect consumers! Right now, consumers are liable for copyright infringement even if they don’t know it is occurring. So if you don’t know your PC is accidently serving as a file server for hackers, you still owe money to the people whose copyrights you have infringed. A law like this, if better worded, might actually be able to help consumers by allowing them to have a waiver for damages if they didn’t know about the copyright infringement.
I’m not sure whether browsers, mail readers, and the like are covered by this bill. There is a decent argument either way. But given that the bill imposes criminal penalties for offering covered software without a warning, I would expect people to err on the side of safety by over-warning. Indeed, some people may just issue the warning for all of their software, just to be safe.
Congress seems to have trouble writing a definition that separates P2P apps from other apps. The Berman-Coble bill in the last Congress had a similar problem, also offering a definition that seemed overbroad and aimed in the wrong direction. Stay tuned for a top-level posting about this issue.
Cypherpunk: For legal purposes, you can assume it is well established that web browsers allow third parties to access data on one’s computers. This happened with the web browser privacy debate in 2000/2001. Search on “Michael Wallent testimony to Congress” for a Microsoft admission to it in the public record.
Upon looking more closely at the law I am struck by a few things. First, Declan’s column is quite misleading. He claims, “The fine print says huge categories of software–including Web browsers, instant messaging clients and e-mail utilities–that are offered for download must contain a warning that it ‘could create a security and privacy risk.'”
Where does Declan get the idea that this law applies to web browser, IM clients and email programs? As Ed accurately describes, the software has to allow 3rd parties to store data on your computer or to use your computer to search other computers on the net. I don’t see that this applies to any of the types of programs Declan lists.
In fact, I can hardly think of any software that does do this. An ftp server would potentially allow 3rd parties to store data on your computer; and if you ran a search engine, then that might let 3rd parties search other computers on the net using your system. But those are very small categories of software.
The only P2P-like system that might be covered would be something like Freenet. It does make your computer into a server that will accept uploads from 3rd parties, and it also propagates searches through the net so that your system searches on behalf of 3rd parties. So it would probably be covered. But typical P2P apps like Kazaa don’t do either of these things.
In short, this law appears to miss the mark rather badly, perhaps due to a misunderstanding about how P2P systems work. And Declan is carrying on an unfortunate habit of over-dramatizing the impact of regulatory legislation. As it stands, it doesn’t look like this law would have much effect on any widely used forms of software.
This law wouldn’t necessarily increase the number of dialog boxes. It increases the regulatory compliance requirements on both open source developers and commercial software developers, giving the government the ability to arrest/inprison them if they prove annoying.
Microsoft already offers or is planning to offer products that meet the regulatory requirments of this law. For them, it would be a meaningless checkbox item. For others, especially smaller developers unfamiliar with law, this could be a one-way ticket to prison.
I agree that developers have an obligation (ethically, at least) to warn users before exposing their files to the world. This is especially true for P2P systems that are likely to expose copyrighted files, thereby making the user a lawbreaker and potential lawsuit target. A bill to require that kind of warning might make sense; but that’s not what this bill would do.
Reading the title “warning fatigue” I thought it was going to be about the constant warnings offered by the online rights community about how we are about to descend into a totalitarian nightmare.
In any case, I do think it is a good idea for a software package to inform the user about what kinds of privileges it will take with his file system. Some people use P2P software for downloading files, without realizing that the software also turns their system into a server, breaking the copyright infringement laws and making them liable for potentially millions of dollars in fines. It would be good for them to know about this ahead of time.
I don’t know about the specific provisions in this bill, and I don’t care much for government mandates, but as a developer I would feel an obligation to warn users of my software if I were putting them at that kind of risk.