RSSWho will control your computers?
There is a broad disparity between the views of software manufacturers and their customers with regard to who is ultimately in control of the software running on the customer machine. Businesses (and consumers) like to think that they own the machines they have paid good money for, and that they are ultimately in control of what runs on the processors which they are paying to feed with electricity day in and day out. Software manufacturers view their creations as perpetually their own, regardless of where it is running, and they see the application of the software as something that continues within their purview. The view of the law in this usually unspoken dispute rests largely on the side of the software manufacturer, even as the reality of day to day use favors the consumer. The costs of detection and enforcement are formidable with respect to digital media of any sort, and software makers have pushed for even stricter code which will allow them more leeway in protecting their intellectual property.
The last major push in this battle was UCITA, the failed 2002 effort to pass the uniform Computer Information Transactions Act, a piece of legislation under the auspices of the Uniform Commercial Code (UCC) which would have given software makers broad power to spike their own programs with "electronic restraints" and surveillance routines to ensure that all utilization complies with the licensing terms which they solely determine. UCITA primarily tanked, however, on the merits of another clause, which would have done away with any doubt whatsoever as to the legitimacy of the so-called "shrinkwrap" license; a convention which forces customers to agree, in advance of installing the software, that it's absolutely perfect and they'll never try to return it, even if it should wipe out all their important data and forcibly download child porn to their computer.
The failure of UCITA has not stopped manufacturers from clinging to the assumption of invulnerability granted by the shrinkwrap license, nor has it done much to slow down increasingly aggressive authentication systems. Customers, whether enterprises or consumers, have little enough recourse as it is to use software in a manner to their ultimate benefit without the intrusion of these mechanisms. Now, Ed Foster has unearthed a disturbing resurgence of the legal cloaking of these activities which were formally shot down with UCITA but are now being pushed forward in the guise of a bill preventing spyware.
Of course everyone in IT recognizes that it will take quite a bit more than some legal code to stop spyware, but few have stopped to consider the existing status of its legality. Spyware is software, just like your operating system, and some bright folks have decided that it can have a shrink-wrap EULA too. The FTC has stomped all over that particular effort, and rightly so; but this in turn has apparently concerned more legitimate software makers, because they are all on a spectrum… if the FTC is insisting that consumers have the right to determine what will and won't run on their own systems before being forcibly bound to a legal agreement governing the matter, then it follows that the standard should apply not only to the odious (spyware) but to the merely inconvenient (unwanted monitoring routines).
So in the Counter Spyware Act, lobbyists in the pay of pay of the Business Software Alliance and other representatives of powerful software manufacturing firms have caused to be placed clauses which will specifically exempt software makers from provisions granting consumers control over the actions of their own machines for purposes of "…detection or prevention of the unauthorized use of software fraudulent or other illegal activities."
In other words, the software itself can check up on you to enforce its arbitrary EULA which you had to agree to before installation and you will be powerless to object.
There is a certain broad philosophical argument in play here over who really controls the machines you pay for and what you do with them. On one side, and to some extent according to intellectual property laws today, you may own the hardware (just as you may own a music CD) but you are merely licensing the software (just as you only license the right to play the songs on the CD) and it is the privilege of the licensor to set the terms of use, or to take their ball and go home. There are some solid, time-tested reasons for that, namely that the legal protections of intellectual property are among the only things which allow it to be profitably developed. It would be impossible to code commercial software if one were unable to regulate the copying thereof, since no one would pay for it but the first user or two.
On the other side is the argument that you pay for the clock cycles that the machine you bought is executing, and however incremental the cost of each of those, any excess consumption without your authorization is theft of a sort. If you wish to limit the processing capacity of your computer to only those tasks which you feel are most vital, should you not have that option? While a small consideration for the consumer, this is not a trivial cost to the enterprise; multiply a few extra seconds of Vista authentication by an install base of 10,000 PCs and you will find you are paying for a lot of extra electricity, not to mention salaries. Perhaps under the strained legal interpretation of the shrinkwrap EULA you have authorized all that extra processing, but if that's true, then where is your protection from truly vile virus and spyware software? At root, there isn't much difference between a Ukrainian hacker taking over your machine or Microsoft doing so… they have different motivations, but if you've lost control, you've lost it.
Of course this is one of the fundamental arguments behind the Free Open Source Software (FOSS) movement, which has no small number of power to the people, stick it to the man idealogues in its midst. Their once perhaps outlandish precept that you should have control at the most fundamental levels over what is running on your machine becomes less and less moot with the development of each program that phones home to report on your activities, each operating system release that piles on another layer of cruft to try to ensure that you are not pirating it or compromising the terms of use which may require you buy a more expensive version for certain activities that the one you already have could perform perfectly adequately.
So you have to wonder if the BSA and its member firms are simply digging their own grave with these efforts; even as other market forces are pushing businesses toward service-based, rather than software-based, offerings, the BSA is making it less and less attractive to buy and run software. The complexity of EULAs is such that interpretation, and therefore enforcement, is already largely arbitrary… a fact which should scare any thinking CIO. When the enforcement becomes codified, however, the grease which currently allows the system to ease itself along to everyone satisfaction will disappear. No more skimming the edges for expediency when it comes to software installation and use: you'll use it as you are told, or it will shut down or run tattling back to the legal department. The estimated 40% of Microsoft volume licensing customers who don't understand their licensing agreements, for example, won't simply be able to continue using software on a best effort basis. They will have to dedicate considerable time and resources into becoming compliant. With everything they are already paying for, is that a good use of resources? Every CIO will have to make that judgement if the Counter Spyware Act passes in its current form.
