December 29, 2024

What is Spyware?

Recently the Anti-Spyware Coalition released a document defining spyware and related terms. This is an impressive-sounding group, convened by CDT and including companies like HP, Microsoft, and Yahoo.

Here is their central definition:

Spyware and Other Potentially Unwanted Technologies

Technologies implemented in ways that impair users’ control over:

  • Material changes that affect their user experience, privacy, or system security
  • User of their system resources, including what programs are installed on their computers
  • Collection, use and distribution of their personal or otherwise sensitive information

These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.

What’s interesting about this definition is that it’s not exactly a definition – it’s a description of things that users won’t like, along with assertions about what users will want, and what users should be able to do. How is it that this impressive group could only manage an indirect, somewhat vague definition for spyware?

The answer is that spyware is a surprisingly slippery concept.

Consider a program that lurks on your computer, watching which websites you browse and showing you ads based on your browsing history. Such a program might be spyware. But if your gave your informed consent to the program’s installation and operation, then public policy shouldn’t interfere. (Note: informed consent means that the consequences of accepting the program are conveyed to you fully and accurately.) So behaviors like monitoring and ad targeting aren’t enough, by themselves, to make a program spyware.

Now consider the same program, which comes bundled with a useful program that you want for some other purpose. The two programs are offered only together, you have to agree to take them both in order to get either one, and there is no way to uninstall one without uninstalling the other too. You give your informed consent to the bundle. (Bundling can raise antitrust problems under certain conditions, but I’ll ignore that issue here.) The company offering you the useful program is selling it for a price that is paid not in dollars but in allowing the adware to run. That in itself is no reason for public policy to object.

What makes spyware objectionable is not the technology, but the fact that it is installed without informed consent. Spyware is not a particular technology. Instead, it is any technology that is delivered via particular business practices. Understanding this is the key to regulating spyware.

Sometimes the software is installed with no consent at all. Installing and running software on a user’s computer, without seeking consent or even telling the user, must be illegal under existing laws such as the Computer Fraud and Abuse Act. There is no need to change the law to deal with this kind of spyware.

Sometimes “consent” is obtained, but only by deceiving the user. What the user gets is not what he thinks he agreed to. For example, the user might be shown a false or strongly misleading description of what the software will do; or important facts, such as the impossibility of uninstalling a program, might be withheld from the user. Here the issue is deception. As I understand it, deceptive business practices are generally illegal. (If spyware practices are not illegal, we may need to expand the legal rules against business deception.) What we need from government is vigilant enforcement against companies that use deceptive business practices in the installation of their software.

That, I think, is about as far as the law should go in fighting spyware. We may get more anti-spyware laws anyway, as Congress tries to show that it is doing something about the problem. But when it comes to laws, more is not always better.

The good news is that we probably don’t need complicated new laws to fight spyware. The laws we have can do enough – or at least they can do as much as the law can hope to do.

(If you’re not running an antispyware tool on your computer, you should be. There are several good options. Spybot Search & Destroy is a good free spyware remover for Windows.)

HD-DVD Requires Digital Imprimatur

Last week I wrote about the antitrust issues raised by the use of encryption to “protect” content. Here’s a concrete example.

HD-DVD, one of the two candidates for the next-gen DVD format, uses a “content protection” technology called AACS. And AACS, it turns out, requires a digital imprimatur on any content before it can be published.

(The imprimatur – the term is Latin for “let it be printed” – was an early technology of censorship. The original imprimatur was a stamp of approval granted by a Catholic bishop to certify that a work was free from doctrinal or moral error. In some times and places, it was illegal to print a work that didn’t have an imprimatur. Today, the term refers to any system in which a central entity must approve works before they can be published.)

The technical details are in the AACS Pre-recorded Video Book Specification. The digital imprimatur is called a “content certificate” (see p. 5 for overview), and is created “at a secure facility operated by [the AACS organization]” (p. 8 ). It is forbidden to publish any work without an imprimatur, and player devices are forbidden to play any work that lacks an imprimatur.

Like the original imprimatur, the AACS one can be revoked retroactively. AACS calls this “content revocation”. Every disc that is manufactured is required to carry an up-to-date list of revoked works. Player devices are required to keep track of which works have been revoked, and to refuse to play revoked works.

The AACS documents avoid giving a rationale for this feature. The closest they come to a rationale is a statement that the system was designed so that “[c]ompliant players can authenticate that content came from an authorized, licensed replicator” (p. 1). But the system as described does not seem designed for that goal – if it were, the disc would be signed (and the signature possibly revoked) by the replicator, not by the central AACS organization. Also, the actual design replaces “can authenticate” by “must authenticate, and must refuse to play if authentication fails”.

The goal of HD-DVD is to become the dominant format for release of movies. If this happens, the HD-DVD/AACS imprimatur will be ripe for anticompetitive abuses. Who will decide when the imprimatur will be used, and how? Apparently it will be the AACS organization. We don’t know how that organization is run, but we know that its founding members are Disney, IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, and Warner Brothers. A briefing on the AACS site explains the “AACS Structure” by listing the founders.

I hope the antitrust authorities are watching this very closely. I hope, too, that consumers are watching and will vote with their dollars against this kind of system.

RIAA Saber-Rattling against Antispoofing Technologies?

The RIAA has fired a shot across the bow of P2P companies whose products incorporate anti-spoofing technologies, according to a story (subscribers only) in Friday’s National Journal Tech Daily, by Sarah Lai Stirland. The statement came at a Washington panel on the implications of the Grokster decision.

“There’s definitely a lot of spoofing going on on the networks, and nobody thinks that that’s not fair game,” said Cary Sherman, president of the Recording Industry Association of America, on Friday. “Some networks actually put out some anti-spoofing filters to enable people to get around the spoofs, and that may well be a sign of intent.”

The comment came in answer to a question about the kinds of lawsuits that might be brought in the wake of the high court’s decision.

What Sherman is suggesting is that if a P2P vendor includes anti-spoofing technology in their product, that action demonstrates an intent to facilitate infringement, making the vendor liable as an indirect infringer under Grokster.

Perhaps Sherman is asserting that anti-spoofing technologies lack substantial noninfringing uses, and so do not qualify for the Sony Betamax safe harbor. This is wrong in general. It’s well known that some of the files on P2P systems are of low audio or video quality, or are mislabelled altogether. This is true of both infringing and non-infringing files. A technology that can predict which files will have low quality, or which users will be sources of low quality files, will help users find what they want. Spoof files are just low quality files that are inserted deliberately, so technologies that reject low-quality files will tend to reject spoof files, and vice versa.

Of course some particular vendor might introduce such a filter for bad reasons, because they want to abet infringement. But one cannot infer such intent merely from the presence of the filter.

One popular interpretation of Grokster is that the Court said a company’s overall business practices, rather than its technology, will determine its liability. That seems to follow from the Court’s refusal to revise the Sony Betamax rule. And yet Sherman’s complaint here is all about technology choices. Is this the precursor to lawsuits against undesired technologies?

Posner and Becker, Law and Economics

Richard Posner and Gary Becker turn their bloggic attention to the Grokster decision this week. Posner returns to the argument of his Aimster opinion. Becker is more cautious.

After reiterating the economic arguments for and against indirect liability, Posner concludes:

There is a possible middle way that should be considered, and that is to provide a safe harbor to potential contributory infringers who take all reasonable (cost-justified) measures to prevent the use of their product or service by infringers. The measures might be joint with the copyright owners. For example, copyright owners who wanted to be able to sue for contributory infringement might be required, as a condition of being permitted to sue, to place a nonremovable electronic tag on their CDs that a computer would read, identifying the CD or a file downloaded from it as containing copyrighted material. Software producers would be excused from liability for contributory infringement if they designed their software to prevent the copying of a tagged file. This seems a preferable approach to using the judicial system to make a case by case assessment of whether to impose liability for contributory infringement on Grokster-like enterprises.

It’s fascinating that Judge Posner, with his vast knowledge about the law and about economics, avoids a case-by-case law and economics approach and looks instead for a technical deus ex machina. Unfortunately, his knowledge of technology is shakier, and he endorses a technical approach that is already discredited. Nobody knows how to create the indelible marks he asks for, and in any case the system he suggests is easily defeated by encrypting or compressing the content – not to mention the problems with malicious placement of marks. In short, this approach is a non-starter.

Becker is right on the mark here:

But several things concern me about the issues raised by this and related court decisions. I basically do not trust the ability of judges, even those with the best of intentions and competence, to decide the economic future of an industry. Do we really want the courts determining when the fraction of the total value due to legal sales is high enough to exonerate manufacturers from contributory infringement? Neither the wisest courts nor wisest economists have enough knowledge to make that decision in a way that is likely to produce more benefits than harm. Does the fraction of legitimate value have to be higher than 50 per cent, 75 per cent, 10 per cent, or some other number? Courts should consider past trends in these percentages because new uses for say a software-legal or illegal- inevitably emerge over time as users become more familiar with its potential. Must courts have to speculate about future uses of software or other products, speculation likely to be dominated by dreams and hopes rather than firm knowledge?

One of the tenets of the law and economics movement is that decisions about legal regulation of economic behavior should be grounded in a deep understanding of economics. Sound economics can predict the effect of proposed legal rules; but bad economics leads to bad law. As luminaries of the law and economics movement, Posner and Becker understand this as well as anyone.

What is true of economics is equally true of computer science. Only by understanding computer science can we predict the impact of proposed regulations of technology. As we have seen so many times, bad computer science leads to bad law. Posner seems to miss this, but Becker’s stance shows appropriate caution.

One criticism of law and economics is that it works well in a seminar room but may lead to dangerous overconfidence if applied to a hard case by an overworked, generalist judge. One solution is to teach judges more economics, and economic seminars for judges have proliferated. Perhaps the time has come to run seminars in computer science for judges.

GAO Data: Porn Rare on P2P; Filters Ineffective

P2P nets have fewer pornographic images than the Web, and P2P porn filters are ineffective, according to data in a new report from the U.S. Government Accountability Office (GAO).

Mind you, the report’s summary text says pretty much the opposite, but where I come from, data gets more credibility than spin. The data can be found on pages 58-69 of the report. (My PDF reader calls those pages 61-72. To add to the confusion, the pages include images of PowerPoint slides bearing the numbers 53-64.)

The researchers did searches for images, using six search terms (three known to be associated with porn and three innocuous ones) on three P2P systems (Warez, Kazaa, Morpheus) and three search engines (Google, MSN, Yahoo). They looked at the resulting images and classified each image as adult porn, child porn, cartoon porn, adult erotica, cartoon erotica, or other. For brevity, I’ll lump together all of the porn and erotica categories into a meta-category that I’ll call “porne”, so that there are two categories, porne and non-porne.

The first observation from the data is that P2P nets have relatively few porne images, compared to the Web. The eighteen P2P searches found a total of 277 porne images. The eighteen Web searches found at least 655 porne images. But they had to cut off the analysis after the first 100 images of each Web search, because the Web searches returned so many images, so the actual number of Web porne images might have been much larger. (No such truncation was necessary on the P2P searches.)

The obvious conclusion is that if you want to regulate communications technology to keep porne away from kids, you should start with the Web, because it’s a much bigger danger than P2P.

The report also looked at the effectiveness of the porn blocking facilities built into some of the products. The data show pretty clearly that the filters are ineffective at distinguishing porne from non-porne images.

Two of the P2P systems, Kazaa and Morpheus, have built-in porn blocking. The report did the same searches, with and without blocking enabled, and compared the results. They report the data in an odd format, but I have reorganized their data into a more enlightening form. First, let’s look at the results for the three search terms “known to be associated with pornography”. For each term, I’ll report two figures of merit: what percentage of the porne images was blocked by the filter, and what percentage of the non-porne images was (erroneously) blocked by the filter. Here are the results:

Product % Porne Blocked % Non-porne Blocked
Kazaa 100% 100%
Morpheus 83% 69%

Kazaa blocks all of the porne, by the clever expedient of blocking absolutely everything it sees. For non-porne images, Kazaa has a 100% error rate. Morpheus does only slightly better, blocking 83% of the porne, while erroneously blocking “only” 69% of the non-porne. In all, it’s a pretty poor performance.

Here are the results for searches on innocuous search terms (ignoring one term which never yielded any porne):

Product % Porne Blocked % Non-porne Blocked
Kazaa 100% -9%
Morpheus -150% 0%

You may be wondering where the negative percentages come from. According to the report, more images are found with the filters turned on when they are turned off. If the raw data are to be believed, turning on the Morpheus filter more than doubles the amount of porne you can find! There’s obviously something wrong with the data, and it appears to be that searches were done at different times, when very different sets of files were available. This is pretty sloppy experimental technique – enough to cast doubt on the whole report. (One expects better from the GAO.)

But we can salvage some value from this experiment if we assume that even though the total number of files on the P2P net changed from one measurement to the next, the fraction of files that were porne stayed about the same. (If this is not true, then we can’t really trust any of the experiments in the report.) Making this assumption, we can then calculate the percentage of available files that are porne, both with and without blocking.

Product % Porne, without Filter % Porne, with Filter
Kazaa 27% 0%
Morpheus 20% 38%

The Kazaa filter successfully blocks all of the porne, but we don’t know how much of the non-porne it erroneously blocks. The Morpheus filter does a terrible job, actually making things worse. You could do better by just flipping a coin to decide whether to block each image.

So here’s the bottom line on P2P porne filters: you can have a filter that massively overblocks innocuous images, or you can have a filter that sometimes makes things worse and can’t reliably beat a coin flip. Or you can face the fact that these filters don’t help.

(The report also looked at the effectiveness of the built-in porn filters in Web search engines, but due to methodological problems those experiments don’t tell us much.)

The policy prescription here is clear. Don’t mandate the use of filters, because they don’t seem to work. And if you want filters to improve, it might be a good idea to fully legalize research on filtering systems, so people like Seth Finkelstein can finish the job the GAO started.