November 27, 2020

Utah Anti-Spyware Bill

The Utah state legislature has passed an anti-spyware bill, which now awaits the governor’s signature or veto. The bill is opposed by a large coalition of infotech companies, including Amazon, AOL, AT&T, eBay, Microsoft, Verizon, and Yahoo.

The bill bans the installation of spyware on a user’s computer. The core of the bill is its definition of “spyware”, which includes both ordinary spyware (which captures information about the user and/or his browsing habits, and sends that information back to the spyware distributor) and adware (which displays uninvited popup ads on a user’s computer, based on what the user is doing). Leaving aside the adware parts of the definition, we’re left with this:

(4) Except as provided in Subsection (5), “spyware” means software residing on a computer that:

(a) monitors the computer’s usage;
(b) (i) sends information about the computer’s usage to a remote computer or server; or [adware stuff omitted]; and
(c) does not:

(i) obtain the consent of the user, at the time of, or after installation of the software but before the software does any of the actions described in Subsection (4)(b):

(A) to a license agreement:

(I) presented in full; and
(II) written in plain language;

(B) to a notice of the collection of each specific type of information to be transmitted as a result of the software installation; [adware stuff omitted]
and

(ii) provide a method:

(A) by which a user may quickly and easily disable and remove the software from the user’s computer;
(B) that does not have other effects on the non-affiliated parts of the user’s computer; and
(C) that uses obvious, standard, usual, and ordinary methods for removal of computer software.

(5) Notwithstanding Subsection (4), “spyware” does not include:

(a) software designed and installed solely to diagnose or resolve technical difficulties;
(b) software or data that solely report to an Internet website information previously stored by the Internet website on the user’s computer, including:

(i) cookies;
(ii) HTML code; or
(iii) Java Scripts; or

(c) an operating system.

Since all spyware is banned, this amounts to a requirement that programs that meet the criteria of 4(a) and 4(b) (except those exempted by 5), must avoid 4(c) by obtaining user consent and providing a suitable removal facility.

The bill’s opponents claim the definition is overbroad and would cover many legitimate software services. If they’re right, it seems to me that the notice-and-consent requirement would be more of a burden than the removability requirement, since nearly all legitimate software is removable, either by itself or as part of a larger package in which it is embedded.

I have not seen specific examples of legitimate software that would be affected. A letter being circulated by opponents refers generically to “a host of important and beneficial Internet communication software”, that gather and communicate data that “may include information necessary to provide upgrade computer security, to protect against hacker attacks, to provide interactivity on web sites, to provide software patches, to improve Internet browser performance, or enhance search capabilities”. Can anybody think of a specific example, in which it would be burdensome to obtain the required consent or to provide the required removal facility?

[Opponents also argue that the bill’s adware language is overbroad. That in itself may be enough to oppose the bill; but I won’t discuss that aspect of the bill here.]

Comments

  1. Gerard Sharp says:

    Microsoft Media Player (you know, that integral part of the Operating System that you can’t remove) collects user details and sends them home – or so I’ve been told; I refuse to it.
    It certainly fails 4.c.ii.A – Removal, and is borderline 4.c.i.A.ii – plain language license agreement; but Microsoft would like to claim excemption under 5.c – “Operating” System.

    I’ve also heard reports of msword.exe requiring an internet connection; and it used to be that you installed a firewall to keep bad packets from getting in TO your computer.

  2. Based on just the quick snippet of info, the way to skirt the entire law is with section 5, and not by complying with section 4.

    Section 5’s language needs to be re-written or it leaves the door completely open for a smart developer to use the time and URL associated with HTTP GETs to get just about any info they want out of your computer. Think dash-dot-dash-dot-dot-dash.

  3. European data protection standards require the user’s informed consent for spyware since 1995, see this working paper adopted in November 2000

    http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2000/wp37en.pdf

    pages 45 onwards for some more detail. The paper calls spyware programs “E.T. programs”, after the character in Spielberg’s film which phones home to his planet first.

  4. I share Ed’s sense of the effects and scope of this legislation. So I too have been puzzled by the negative pressures from big companies here, and the negative media coverage that seems to be resulting.

    For more on this, see my new article:

    A Close Reading of Utah’s Spyware Control Act
    http://www.benedelman.org/spyware/utah-mar04/

    Ben

  5. Utah Anti-Spyware Bill Becomes Law

    Ben Edelman reports that Utah’s governor signed HB323 into law yesterday. That’s the anti-spyware law I discussed two weeks ago. I guess we’ll find out whether the bill’s opponents were right about its supposed burden on legitimate software businesses….

  6. DRM software that secures a downloadable digital media asset to a particular users name and computer may have problems with this law. The information DRM technologies need to collect and associate looks a lot like the same stuff spyware does. The ability to delete locally stored license keys without an online connection could make securing media assets difficult, or limit the rights DRM technolgies can convey to consumers.

    Self patching support software also has a problem because if it is there to protect the user from dangerous security or stability flaws discovered in real-time then allowing users to easily turn it off could generate enomormous technical support difficulties and consumer confusion, especially in a world where Microsoft can change a users OS environment in real-time with their updater but all other software vendors who employ identical technology to support their products and adapt to environment changes that may have been instigated by Microsoft are considered suspect for doing the same thing.