dominique
From my mailbox:
* Spyware legislation in Congress. Rep. Bono's "Securely Protect Yourself Against Cyber Trespass Act" purports to be tough, and it still seems to have considerable momentum. But my analysis suggests it's actually quite a weak bill -- letting many misleading installation methods continue, and granting enforcement only to the FTC (which so far has been notoriously slow to take action). See my full analysis:
What Hope for Federal Anti-Spyware Legislation?
http://www.benedelman.org/news/011905-1.html
Securely Protect Yourself Against Cyber Trespass Act
http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.29:
* Spyware legislation in the states. More than a dozen states are discussing legislation to try to stop spyware. Some of the states propose approaches I think would actually make a real difference. But nine states propose to copy the weak approach (indeed, most of the exact language) California adopted last year. My tabular listing and summaries:
State Spyware Legislation
http://www.benedelman.org/spyware/legislation/
* Misleading installations continue. I could write a whole newsletter about misleading installation methods. (Indeed, a few would-be sponsors have recently encouraged me to do exactly that.) Most outrageous are installation with no notice or consent at all -- like installations through browser or operating system security holes. But other installations claim to get user consent. Why would users consent to extra junk they don't actually need? Some installations falsely claim to be "required" updates to Windows, Internet Explorer, or Media Player. Other installations harass users with repeated popups, leaving no clear choice but to say yes. Still others offer partial or euphemistic disclosures of their functions -- for example, disclosing that they'll show ads, but not mentioning that they'll send users' web browsing activity to remote servers for long-term storage and analysis.
Spyware Installed through Security Holes
http://www.benedelman.org/news/111804-1.html
Media Files that Spread Spyware
http://www.benedelman.org/news/010205-1.html
I've seen all manner of spyware programs installed in the misleading ways described above, including programs from firms with major venture capital backing. See table of spyware investors, and the controversial characteristics of the companies they've invested in:
Investors Supporting Spyware
http://www.benedelman.org/spyware/investors/
Last week I posted screenshots and videos showing how Google's Blogspot service facilitates users' infection with spyware: Google lets its bloggers embed JavaScript code that shows deceptive popups, attempting to install software onto users' PCs.
How Google's Blogspot Helps Spread Unwanted Software
http://www.benedelman.org/news/022205-1.html
Then there's VeriSign. VeriSign makes big money selling the digital certificates that IE requires before it shows ActiveX "drive-by" installation prompts. But I've seen little sign of any VeriSign procedures to stop its certificates from being used to trick or defraud users. For example, VeriSign-issued certificates sign installers that falsely claim to be security updates. VeriSign's digital certificate page doesn't even have a web form by which harmed consumers can report abuse.
How VeriSign Could Stop Drive-By Downloads
http://www.benedelman.org/news/020305-1.html
* Claria. In November 2004, I published a critique of Claria's license -- its deficient format (missing section heading formatting) and one-sided substantive conditions (prohibiting "unauthorized" removal methods; prohibiting user inspection of Claria's transmissions over users' own Internet connections). Three months later, these defects remain.
Gator's EULA Gone Bad
http://www.benedelman.org/news/112904-1.html
Reed Freeman, Claria's new Chief Privacy Officer, was recently appointed to
a Department of Homeland Security committee on information privacy. There's considerable irony here -- after all, Claria has assembled what eWeek calls the seventh-largest decision-support database in the world, storing 12.1+ terabytes of information about what web sites its users visit. Meanwhile, Freeman still has a lot to learn about Claria's true practices: In a 2004 interview, he made detailed and specific claims about Claria's installation and removal procedures, but his claims are inconsistent with my hands-on testing of Claria software.
Privacy Panel Membership Questioned
http://msnbc.msn.com/id/7031597
Claria's Practices Don't Meet Its Lawyers' Claims
http://www.benedelman.org/news/010405-1.html
In closing, a bit on my plans for the coming months: More testing of spyware programs that claim affiliate commissions. (Nearly all affiliate merchants end up paying commissions to spyware companies: Spyware programs intercede to make it look like they deserve credit for users' purchases.) More testing of "second-tier" spyware programs -- whose installation methods are even more outrageous and whose effects are even more damaging. Measurement of the performance effects (speed reduction, bandwidth requirements, etc.) of selected spyware programs. Of course, more on misleading and deceptive installation methods.
Let me offer a special welcome to the many readers who signed up since my last message. You'll see that I only send these notes once every few months, lest I intrude in your inboxes too often. But please do feel free to get in touch with suggestions and requests.
Ben Edelman
benedelman.org
dominique
Casino Games (http://www.gamesandcasino.com)
* Spyware legislation in Congress. Rep. Bono's "Securely Protect Yourself Against Cyber Trespass Act" purports to be tough, and it still seems to have considerable momentum. But my analysis suggests it's actually quite a weak bill -- letting many misleading installation methods continue, and granting enforcement only to the FTC (which so far has been notoriously slow to take action). See my full analysis:
What Hope for Federal Anti-Spyware Legislation?
http://www.benedelman.org/news/011905-1.html
Securely Protect Yourself Against Cyber Trespass Act
http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.29:
* Spyware legislation in the states. More than a dozen states are discussing legislation to try to stop spyware. Some of the states propose approaches I think would actually make a real difference. But nine states propose to copy the weak approach (indeed, most of the exact language) California adopted last year. My tabular listing and summaries:
State Spyware Legislation
http://www.benedelman.org/spyware/legislation/
* Misleading installations continue. I could write a whole newsletter about misleading installation methods. (Indeed, a few would-be sponsors have recently encouraged me to do exactly that.) Most outrageous are installation with no notice or consent at all -- like installations through browser or operating system security holes. But other installations claim to get user consent. Why would users consent to extra junk they don't actually need? Some installations falsely claim to be "required" updates to Windows, Internet Explorer, or Media Player. Other installations harass users with repeated popups, leaving no clear choice but to say yes. Still others offer partial or euphemistic disclosures of their functions -- for example, disclosing that they'll show ads, but not mentioning that they'll send users' web browsing activity to remote servers for long-term storage and analysis.
Spyware Installed through Security Holes
http://www.benedelman.org/news/111804-1.html
Media Files that Spread Spyware
http://www.benedelman.org/news/010205-1.html
I've seen all manner of spyware programs installed in the misleading ways described above, including programs from firms with major venture capital backing. See table of spyware investors, and the controversial characteristics of the companies they've invested in:
Investors Supporting Spyware
http://www.benedelman.org/spyware/investors/
Last week I posted screenshots and videos showing how Google's Blogspot service facilitates users' infection with spyware: Google lets its bloggers embed JavaScript code that shows deceptive popups, attempting to install software onto users' PCs.
How Google's Blogspot Helps Spread Unwanted Software
http://www.benedelman.org/news/022205-1.html
Then there's VeriSign. VeriSign makes big money selling the digital certificates that IE requires before it shows ActiveX "drive-by" installation prompts. But I've seen little sign of any VeriSign procedures to stop its certificates from being used to trick or defraud users. For example, VeriSign-issued certificates sign installers that falsely claim to be security updates. VeriSign's digital certificate page doesn't even have a web form by which harmed consumers can report abuse.
How VeriSign Could Stop Drive-By Downloads
http://www.benedelman.org/news/020305-1.html
* Claria. In November 2004, I published a critique of Claria's license -- its deficient format (missing section heading formatting) and one-sided substantive conditions (prohibiting "unauthorized" removal methods; prohibiting user inspection of Claria's transmissions over users' own Internet connections). Three months later, these defects remain.
Gator's EULA Gone Bad
http://www.benedelman.org/news/112904-1.html
Reed Freeman, Claria's new Chief Privacy Officer, was recently appointed to
a Department of Homeland Security committee on information privacy. There's considerable irony here -- after all, Claria has assembled what eWeek calls the seventh-largest decision-support database in the world, storing 12.1+ terabytes of information about what web sites its users visit. Meanwhile, Freeman still has a lot to learn about Claria's true practices: In a 2004 interview, he made detailed and specific claims about Claria's installation and removal procedures, but his claims are inconsistent with my hands-on testing of Claria software.
Privacy Panel Membership Questioned
http://msnbc.msn.com/id/7031597
Claria's Practices Don't Meet Its Lawyers' Claims
http://www.benedelman.org/news/010405-1.html
In closing, a bit on my plans for the coming months: More testing of spyware programs that claim affiliate commissions. (Nearly all affiliate merchants end up paying commissions to spyware companies: Spyware programs intercede to make it look like they deserve credit for users' purchases.) More testing of "second-tier" spyware programs -- whose installation methods are even more outrageous and whose effects are even more damaging. Measurement of the performance effects (speed reduction, bandwidth requirements, etc.) of selected spyware programs. Of course, more on misleading and deceptive installation methods.
Let me offer a special welcome to the many readers who signed up since my last message. You'll see that I only send these notes once every few months, lest I intrude in your inboxes too often. But please do feel free to get in touch with suggestions and requests.
Ben Edelman
benedelman.org
dominique
Casino Games (http://www.gamesandcasino.com)