The Watchers

Oklahoma Gazette | April 5, 2006
It’s supposed to protect you from predators spying on your computer habits, but a bill Microsoft Corp. helped write for Oklahoma will open your personal information to warrantless searches, according to a computer privacy expert and a state representative.

Called the “Computer Spyware Protection Act,” House Bill 2083 would create fines of up to a million dollars for anyone using viruses or surreptitious computer techniques to break on to someone’s computer without that person’s knowledge and acceptance, according to the bill’s state Senate author, Clark Jolley.

“The bill has a clear prohibition on anything going in without your permission. You have to grant permission,” said Jolley, R-Edmond. “You can look at your license agreement. It will say whether they have the ability to take that information or not.”

But therein lies the catch.

If you click that “accept” button on the routine user’s agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for “detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.”

That means that Microsoft (or another company with such software) can erase spyware or viruses. But if you have, say, a pirated copy of Excel — Microsoft (or companies with similar software) can erase it, or anything else they want to erase, and not be held liable for it. Additionally, that phrase “fraudulent or other illegal activities” means they can:

—Let the local district attorney know that you wrote a hot check last month.

—Let the attorney general know that you play online poker.

—Let the tax commission know you bought cartons of cigarettes and didn’t pay the state tax on them.

—Read anything on your hard drive, such as your name, home address, personal identification code, passwords, Social Security number … etc., etc., etc.

“I think in broad terms that is still a form of spying,” said Marc Rotenberg, attorney and executive director of the Electronic Privacy Information Center in Washington, D.C. “Some people say, ‘Well, it’s justified.’ I’m not so clear that should be the case. Particularly if the reason you are passing legislation is to cover that activity.”

The bill is scheduled to go back before the House for another vote. Will the Oklahoma House, on behalf of all computer users in the state of Oklahoma, click “accept”?

Where did you

go yesterday?

Computer users first accepted updates when anti-virus makers, such as Symantec Corp. or McAfee, began back in the Nineties offering regular updates in an attempt to stay current with the alarming number of viruses introduced over the Internet. This was followed by Windows ME and 2000 allowing updates to their programs via downloads. By the time Windows XP came out, regular online updates became part of the product one purchased.

At around the same time, the Napster phenomenon pushed music corporations, courts and lawmakers into taking action against online file sharing of music. Hip, computer-savvy listeners traded pirated MP3 recordings beyond count, leading to action by the music industry to go on a search and destroy mission against the online music traders, even in Oklahoma. In 2000, Oklahoma State University police seized a student’s computer containing thousands of downloaded songs after he was traced by a recording industry group.

Anti-spyware bill author Jolley said that’s what people like the OSU student get for sharing their information online.

“You have to look at the other side of that issue,” Jolley said. “When they agreed to put their files online, they literally agreed to allow people to come on their computers and search the files online. On a P-to-P (peer-to-peer) network, you are inviting other people to see what you have. That’s a risk you run by participating in file share.”

Jolley said his spyware bill is supposed to stop “phishers” from stealing one’s identity off of one’s computer, is supposed to stop “Trojan horse” viruses from being installed on the computer and is supposed to make illegal a host of other techniques for spying on a user’s personal information.

“It prohibits them from taking things as basic as your home address, your first name, your first initial in combination with your last name, your passwords, any personal identification numbers you have, any biometric information, any Social Security, tax IDs, drivers licenses, account balances, overdraft histories — there is a clear prohibition on that,” Jolley said.

Indeed, Sections 4 and 5 of the act specifically forbid anyone from doing so without the user’s permission.

However, Section 6 of the act says such a prohibition “shall not apply” to “telecommunications carrier, cable operator, computer hardware or software provider or provider of information service” and won’t apply to those companies in cases of “detection or prevention of the unauthorized use of or fraudulent or other illegal activities.”

Which means software companies updating a user’s software or the cable company monitoring that user’s activities on a broadband modem hookup can turn over that user’s history of writing hot checks to the district attorney if the company feels like it, said Rotenberg.

“You go back to the old-fashioned wiretap laws,” Rotenberg said. “There was an exception to allow telephone companies to listen in on telephone calls. The theory was that it was necessary to make sure that the service was working. Part of what’s going on here is to significantly expand that exemption to a whole range of companies that might have reason for looking on your computer. The statute will give them authority to do so. I think it’s too broad. I think the users in the end need to be able to allow that themselves.”

Jolley insists his proposed law would not allow Microsoft, Symantec or Cox Communications to become “Big Brother.”

“The goal of this is not to allow any company to go through and scan your computer,” Jolley said. “If they are, it has to be for a specific purpose. If you don’t want them doing that, don’t agree to (the user’s agreement).”

Which means, when a user accepts Microsoft’s Windows operating system on that new computer, or Norton AntiVirus, or Apple’s operating system or a host of other online-upgradable programs, that user agrees to being watched by the company.

Who on Earth would write such a law? It wasn’t Jolley, or anyone in Oklahoma.

Trojan horse

Behind the scenes, out of the view of everyday Oklahomans, and apparently of many of their legislators, lies a little-known corporate lobbying group driving the legislation. Jolley said his proposed law for Oklahoma actually began its life in a national Republican think tank.

“This was written by a national group of state legislators called the American Legislative Exchange Council,” Jolley said. “Private industry also cooperated on it. The folks involved on this were folks like Symantec, Computer Associates, Internet Security Systems, Hewlett-Packard, McAfee, Cyber Security Industrial Alliance, Trend Micro — they all signed off on it at the end as well as the legislators nationally, members of the task force that helped write the bill.”

The American Legislative Exchange Council, or ALEC, is a Reagan-era group that originally focused on ideological legislation, such as school prayer and anti-abortion legislation. Indeed, one of ALEC’s 2005 state officers, Rep. Susan Winchester, R-Chickasha, recently presented legislation requiring women who get abortions or have a miscarriage to register and be tracked by the state. (When Oklahoma Gazette called Winchester’s office, she was unavailable for comment.) Although the group states it is bipartisan, the officers are predominately Republican.

In recent years ALEC increased its influence (and funding) by signing on large corporations to its board of directors and concentrating on lobbying and writing pro-business legislation at the state level. Among the companies that have been involved with ALEC, in addition to Microsoft, are Coors Brewing Co., R.J. Reynolds Tobacco Co., ExxonMobile, Koch Industries, Verizon Communications and a host of other corporations. With the ascendancy of these large corporations in the organization, the group began writing state-level model legislation. By 2001, ALEC boasted having introduced nationwide 1,245 pieces of legislation, with 200 becoming law. In Oklahoma, the group strongly supported right to work, enacted in 2001, according to its Web site.

ALEC’s Telecommunications and Information Technology Task Force lists the Computer Spyware Protection Act as among its model legislation and has been successful in passing the legislation in a number of states. Called the “California Law” among computer professionals, the law has been passed at the state level with the same language as Oklahoma’s in California, Texas, Microsoft’s home state of Washington and has been introduced in other states.

Although the bill is touted to protect consumers from spyware, viruses and other malicious computer activity, at least one lawmaker in Oklahoma claims he was deceived by the way the bill was written.

State Rep. Mike Reynolds, R-Oklahoma City, said he initially read the first half of the bill — which states “it is unlawful for a person who is not an owner or operator of a computer to cause computer software to be copied on the computer knowingly” and prohibits someone from collecting personal information such as “account balance, overdraft history, or payment history that personally identifies an owner or operator of a computer, or biometric information” — and thought it sounded like a good idea.

“It’s crazy,” Reynolds said of the law. “The vote was unanimous. We were in the middle of some other bill. Someone walked up to me and said, ‘I thought you’d vote against that.’ And I said, ‘Duh.’ I thought it was about spam. I didn’t bother to read it to that level.”

However, upon reviewing the back sections of the law, Reynolds said the Computer Spyware Protection Act would do exactly the opposite of what it purports to do — it would allow computer software giant Microsoft (or other software company or online access provider) complete freedom to monitor any Microsoft user’s computer records, bank account, spending habits, e-mails, passwords … anything the user undertakes on the computer. As well, the law appears to allow such companies to investigate “fraudulent or other illegal activities,” in effect conducting a search of the user’s information without the need for a warrant on behalf of civil law enforcement.

“That’s bad,” Reynolds said. “They can go in there because they are authorized because they do detection of fraudulent, illegal activities? Now we are talking about Microsoft having the freedom to check your computer for any sort of illegal or fraudulent activity you might be participating in. Without your knowledge or consent. It is giving up your rights to privacy.”

Last chance to see

Microsoft has been active in pushing the bill through Oklahoma’s Legislature. During the 2004 election cycle, about the time the law was being signed by California Gov. Arnold Schwarzenegger, Microsoft gave $1,000 to Oklahoma’s Republican Senate Committee and $1,000 to Democratic Gov. Brad Henry. More recently, a lobbyist for Microsoft, Andrew Wise, has been visiting the state Capitol and attending discussions with legislators about the bill.

Wise was contacted several times by the Gazette regarding the bill, but said he would pass questions on to Microsoft’s corporate communications office. However, at an Oklahoma Senate technology committee meeting, while he did not deny that the bill would give Microsoft sweeping powers over software users, he said the main reason for such corporate liberties in the bill was to give liability protection to the software giant.

“The reason that language is in there is so … the way the bill has been structured … when we give you an update, we don’t want that stuff we give you to be considered spyware,” Wise said. “The reason that’s in there is to make it clear that we are allowed.”

Wise concurred that the bill would benefit other companies besides Microsoft.

“It’s not just us,” Wise said. “It’s also Symantec, Adobe, anybody who produces software that needs updates. That is why that language is in there. There is also language in there for a cable company to be able to allow us to do those updates through their lines, and then they’re not liable. We are transmitting our IP, updates, whatever, through their pipes and if it’s spyware, they don’t want to be held liable for the spyware going through their pipes. They are just the conduit.”

Indeed, the bill also grants such powers to “a telecommunications carrier, cable operator, computer hardware or software provider, or provider of information service or interactive computer service.”

Wise again reiterated that someone from Microsoft would call: “I’ll get someone to call you and explain it better than I did,” he said. However, Microsoft did not call the Gazette.

During the committee meeting attended by Wise, Jolley succeeded in getting language removed that would have revoked immunity to those companies under certain circumstances. Jolley said the language was added in the House, and conflicted with a later section. That section states, in part: “No provider of computer software or of an interactive computer service may be held liable for identifying, naming, removing, disabling, or otherwise affecting a computer program through any action voluntarily undertaken.” While this clause would allow a company to erase a spyware or virus program from a user’s computer, it would also allow such a company to erase — without liability — any other program it deemed fit, Reynolds said.

Reynolds said the law would also place all blame for mistakes on the computer’s owner or user.

“If Microsoft comes on to my machine, and they think I’ve got a program that I haven’t paid for, but I actually paid for it, I have to fix my machine so that I don’t trick Microsoft anymore,” Reynolds said. “I have to fix a false positive. If they report me, turn me in to the DA for having illegal software, and I prove it’s not illegal, I have to fix my computer if I don’t want to be reported again.”

Reynolds said the bill has yet another administrative vote in the House and that he is now forewarned and forearmed regarding the issue.

“This will come back to the House because the title is not on it,” Reynolds said. “So, it can’t go to the Senate to be voted on, and go to the governor and become law yet. Believe me, there will be a lot more debate the next time.”

Spokesman Phil Bacharach said Gov. Henry refused comment on the bill until it reaches his desk. However, Bacharach said monetary donations from Microsoft would not sway Henry into adopting the bill.

“Absolutely not. The governor will review that legislation just as he would any other, based on its own merits,” Bacharach said.

In Washington, D.C., Rotenberg said Oklahomans should beware when a company like Microsoft, instead of Oklahoma’s own legislators, writes the state’s bills.

“I have to say, that’s not that unusual for business groups to write that kind of legislation. I think it’s unfortunate,” he said.” You don’t want business groups writing the laws … but then, I’m in Washington, so I guess I’m in no position to say that.”

Oklahoma Gazette

In its inaugural issue of Oct. 15, 1979, Oklahoma Gazette, at that time an upstart, bimonthly publication with a mere 2,000 circulation, featured a page-one story about the Oklahoma City Council’s recent passage of an urban conservation district. Hardly sexy...
More »
Contact for Reprint Rights
  • Market Served: Metropolitan Area
  • Address: 3701 N. Shartel Ave., Oklahoma City, OK 73118
  • Phone: (405) 528-6000