The Canadian House of Commons is considering bill C-27, the Electronic Commerce Protection Act. In addition to providing civil penalties for unsolicited commercial e-mail (spam) and the unauthorized interception of e-mail (man in the middle attacks), it provides for similar penalties for the unauthorized installation of software.

The specifics of the software installation section of the bill are interesting. (Disclaimer: I’m not a lawyer, this isn’t legal advice, etc.)

• The law would only apply to software installed "in the course of a commercial activity." Commercial activity is defined broadly (and circularly, with reference to activity of a "commercial nature"), but I think I understand the meaning.
• The law would require "express consent" of software installation, which is explicitly stated to include "clearly and simply" describing the "function, purpose, and impact of every computer program that is to be installed." (Note that this is similar to section IIA of our badware guidelines, though it does not explicitly include the part about potentially unwanted behaviors.)
• A party responsible for installing (or presumably distributing for installation) a piece of software would be required to provide contact info, valid for at least a year, through which someone could request the removal of the software. If the request is due to an inaccuracy in the disclosure, the installing/distributing party must assist in removing or disabling the software from the user’s computer.
• All penalties are in the form of fines, intended to be commensurate with the extent of the violation. Maximum fines are CDN$1,000,000 for an individual and CDN$10,000,000 for any other party.

 This legislation seems pretty good, and I particularly like that it focuses on a simple, clear expectation of informed consent. Of course, much of the badware problem is global, so this won’t be a panacea, but at least it will help the Canadian government go after certain types of badware that originate within their borders. Still, a few questions about the legislation:

• Why is installing software without consent only an offense when it occurs "in the course of a commercial activity?" Stalking, espionage, mischief, and politics are all non-commercial motives to install spyware or malware without consent.
• Who is/are the party/parties responsible for installing software via a drive-by download? Is it only an offense if the drive-by occurs on a commercial website?
• Why no criminal penalties (e.g., prison sentences) for egregious cases where there is a clear intent to cause harm?
• I found the section about providing contact information unclear. What, exactly, is a company supposed to do when someone calls to say, "I want this software removed from my computer?" The company is only expected to assist with removal if the disclosure was inaccurate, so what about when the user wants to remove the software for some other reason?

I think this legislation could be valuable even without answering these questions, but it would be really nice to know how these questions will be addressed. Do you have thoughts on this legislation? Let us know in the comments!

After a few months of ongoing communication with StopBadware, Ascentive (operator of the website FinallyFast.com) has released new versions of its PC SpeedScan Pro and Spyware Striker Pro products. Both appear to address all of the issues that led us to labeling them badware. We have therefore updated and archived both alerts. Thanks to the company for keeping us informed about new releases.

Register now for the Anti-Spyware Coalition public workshop on May 19 in Washington, DC. The workshop should be excellent, with keynotes from U.S. cybersecurity chief Melissa Hathaway, Consumer’s Union security specialist Jeff Fox, and Washington Post security columnist Brian Krebs. It will also feature several interesting panels, including one that I’ll be facilitating on the topic "Who owns the problem?" That panel will feature:

• Jeffrey Troy, Chief of the Cyber Criminal Section, Federal Bureau of Investigation
• Sam Fleitman, Chief Operations Officer, SoftLayer Technologies, Inc
• Bob Bruen, KnujOn
• Kevin Haley, Director of Product Management, Symantec Security Response
• Alissa Cooper, Center for Democracy and Technology
• Andy Steingrubel, Manager of Secure Development, PayPal Information Risk Management

 I hope to see you there!

After several months of ongoing communication, CyberDefender has released a version of its flagship suite, CyberDefender Early Detection Center, that appears to address all of the issues that led us to labeling it badware. We have therefore archived the alert. Thanks to the company for keeping the lines of communication open.

Yesterday, some of my colleagues and I attended a talk at Harvard’s Center for Research on Computation and Society. The talk was given by Mike Collins, a network security researcher who currently works at RedJack, and it focused on the limitations of intrusion detection systems as a form of network defense. The primary content of the talk was rather technical and quantitative, but Mike ended with an interesting conclusion: it may be possible to significantly decrease network-based attack traffic (e.g., port scanning, worm spreading, etc.) by blocking incoming access from the IP addresses and subnets that have historically behaved badly. By limiting the blocking to only the top 20 bad IP addresses and relatively few and narrowly-defined subnets, he says, the risk of infection could plummet without causing too many false positives (i.e., blocking legitimate traffic). Even more interesting is a statement he made to the effect that networks with bad behavior often continue to exhibit bad behavior.

If this last statement is accurate, then developing systems to track subnet reputation and apply this information to decision-making could be a viable application of John Palfrey, et. al.’s theory about peer production Internet governance. (PDF) What might this look like and what are some of the issues that would have to be addressed? Here are a few thoughts:

• Does one type of bad behavior on a network (e.g., sending spam) correlate highly to other types of bad behavior (e.g., port scanning or perpetuating the SQL slammer worm)? If not, reputations would have to be developed separately for each type of behavior. (Or, I suppose a decision could be made to broadly punish any one bad behavior by blocking access across the board.)
• If we expect network providers to police their networks to reduce "bad" behavior, how do we balance a desire for hands-off network management (i.e., don’t decide what I can and can’t do online) with a desire for the provider to prevent badness?
• How does reputation change over time? What happens when the owner/operator of a network changes, and the new owner behaves differently than the old?
• What happens when a single IP address or subnet has a lot of bad activity but also a lot of legitimate activity, as in situations where an entire country’s Internet traffic filters out through a small IP space?

This type of question is not new to StopBadware, of course. We and our partners deal with some similar issues in the work we do in publicizing badware websites. In fact, as we expand our Badware Website Clearinghouse, we expect that security researchers, law enforcement, and network providers will be able to use the data as a way to make their own judgments about the reputation of particular sites and network providers. If we ever decide to extend our work into, say, creating a "reputation score" for particular URLs, network blocks, or IP addresses, we’ll have to carefully consider all of these questions.