Comparison
of Unwanted Software Installed by P2P Programs [ Introduction | Findings | Discussion | Details | Disclosures ] Hands-on testing reveals the specific additional programs bundled with certain peer-to-peer filesharing programs. I capture screenshots of key steps in installation, and I discuss the characteristics that make the installation licenses particularly difficult for users to read and understand. Some peer-to-peer programs bundle multiple other programs users may not want and may not intend to accept, but other peer-to-peer programs contain no apparent bundled software. |
Related Projects 180solutions & Affiliate Commissions WhenU Violates Own Privacy Policy Documentation of Gator Advertisements and Targeting |
Computer users have recently come to face a barrage of software installed on their PCs even though they don't want it. Some of this software arrives through security holes. Other programs come from misleading popups that look like official messages reporting required browser updates. This article investigates a further source of unwanted software: Add-ons bundled with peer-to-peer filesharing programs.
I chose to test the five applications listed below based on their high reported total downloads within c|net Download.com's MP3 Search Tools and File Sharing categories. Kazaa is not currently listed at Download.com, but I nonetheless included it due to its reported prevalence.
Required installations disclosed in main installer screens | Optional installations disclosed in installer | Installations disclosed only through license agreement scroll boxes | Undisclosed installations | Bundled software | Registry additions | File system additions | ||||
Tracks web browsing | Ads shown in or around web browser | Keys | Values | Folders | Files | |||||
eDonkey | Webhancer, GloPhone, Web Search Toolbar, New.net | Yes | Yes | 280 | 944 | 23 | 353 | |||
License: 7,767 words, 90 on-screen pages. Narrow license window shows 3-5 words per line. Multiple licenses merged into a single scroll box. Failure to disclose even general functions of some software to be installed. Details. | ||||||||||
iMesh | AskJeeves (MySearch) toolbar (see discussion of disclosure shortcomings) |
488 | 1589 | 30 | 214 | |||||
License: 5,493 words, 56 on-screen pages. Installs a web browser toolbar, but never uses the word "toolbar." Broken links in license agreement. Details. | ||||||||||
Kazaa | Cydoor, GAIN, Instafinder, My Search Toolbar | Skype | Desktop icon additions ("Your Free Casino Chips!" and "Play Poker Now!") | Yes | Yes | 845 | 1477 | 112 | 638 | |
License: 22,606 words, 182 on-screen pages. Multiple licenses merely referenced, not shown. Multiple licenses merged into a single scroll box. Multiple references to external documents purportedly incorporated by reference. Separate section headings merged into body text. Restrictions on permitted removal methods. Details. | ||||||||||
LimeWire | says "ads" and "nagware" | 134 | 527 | 61 | 864 | |||||
No license shown or referenced. Details. | ||||||||||
Morpheus | Direct Revenue | Maybe. See notes. | Yes | Yes | 85 | 312 | 15 | 384 | ||
License: 4,492 words, 44 on-screen pages. Broken link in license agreement. Restrictions on permitted removal methods. Purported grant of permission to remove other programs. Failure to disclose certain information collected. Details. |
I installed the specified programs on separate test PCs, each running only Windows XP and the limited additional software necessary to conduct my testing, measurement, and archival. In each installation, I accepted the installer's default settings, including default bundled programs to be installed. After each installation was complete, I restarted the test PC, then loaded my web browser and browsed to www.google.com. Via this procedure, I attempted to activate any delayed-install bundles that waited for restart or web browser use. However, this procedure cannot activate delayed-install bundles, nor bundles with extended delays or other installation conditions.
Reporting in the "bundled software" columns combines my analysis of applicable license agreements and my hands-on testing of the respective programs and their bundled add-ons.
All testing was performed in February - March 2005.
Others have previously noted the problem of unwanted software bundled with peer-to-peer programs. A June 2004 FTC press release highlighted the risk that P2P programs bundle "unwanted software ... including spyware." An internal document from Kazaa's chief technology officer revealed Kazaa's awareness of these risks, including many Kazaa employees apparently unwilling to install Kazaa's own software.
My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.
Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.
In addition, some installers' vague disclosures call into question whether users who press "yes" can reasonably be said to understand what they are (purportedly) accepting. Some installers fail to provide even general information about the programs to be installed. For example, the eDonkey installer offers users New.net without stating the general purpose of New.net software and without disclosing any effects of accepting the installation. Other installers describe selected general effects but fail to prominently mention other effects likely of interest to most users. For example, when Kazaa installs Claria, the Kazaa installer prominently mentions Claria's advertisements but does not prominently mention transmission of user activities to a Claria "decision support" database (reportedly the seventh-largest in the world).
Beyond the frequently-downloaded P2P filesharing programs I tested for this analysis, less well-known P2P programs also bundle unwanted programs. The installation practices of these lesser-known programs may be even more confusing or deceptive to typical consumers. For example, in October 2004 I tested Grokster, finding that Grokster installed certain software even if users pressed Cancel to attempt to deny such installations. (Screenshots and video.) In June 2004 I examined the installer for Kiwi Alpha. In my testing, Kiwi Alpha bundled software from 180solutions, but Kiwi mentioned 180 only at pages 16 through 33 of a 54-page license agreement, without any heading or other text alerting users to the presence of 180 or to the 180 license shown midway through the scroll box. Instead, users would have to scroll to midway through the agreement even to learn of 180's inclusion. (See screenshots.)
One program in my sample is notable not for its inclusion of bundled software but for its omission of such software. Not only did LimeWire not include bundled software, but in my testing it also did not show any advertisements beyond promotions for the paid version of LimeWire.
Appendix: Analysis of Specific Licenses
and Installation Procedures
[ eDonkey | iMesh | Kazaa
| LimeWire | Morpheus ]
The eDonkey installer shows license agreements in two distinct stages. First, eDonkey shows a five-screen (545-word) set of rules pertaining to use of eDonkey (e.g. policies on copyright violation and child pornography). Second, as highlighted at right, eDonkey shows a 85-screen (7,222-word) document giving the licenses of some of the programs eDonkey offers to install. This second document is difficult for users to meaningfully review and understand, due to at least the following characteristics:
See also installer screenshots, license agreement text, and license agreement screenshots.
At 5,493 words and 56 on-screen pages, iMesh's license agreement was the second-shortest of those shown by the programs tested here (excluding those programs that showed no license agreement). But the iMesh license is still lengthy -- 19% longer than the US constitution (4,616 words), and 102% longer than the Google Terms of Service and Privacy Policy combined (2,726 words).
What is most notable about iMesh's installation is what it does not say: Although iMesh installs a toolbar into users' browsers, iMesh's installer never mentions the addition of any such software. Indeed, the word "toolbar" does not appear in iMesh's license agreement. In a mis-formatted paragraph at page 27 of the license (see inset at right), the license begins to discuss a "search bar function," which the license subsequently admits "sends a configuration request ... when [a user] start[s his] browser." But nowhere does iMesh define what the "search bar function" entails. Nor does iMesh disclose that this "bar" is in fact a toolbar added to the user's web browser, reducing the amount of Internet Explorer screen space available for other purposes.
The iMesh license discusses its privacy policy and removal procedure. But where surrounding text indicates that URLs should reference an external privacy policy and an external removal instructions document, the iMesh license instead includes only placeholders. See highlighted text at left.
See also installer screenshots, license agreement text, and license agreement screenshots.
The Kazaa installer asks users to accept unusually lengthy license agreements. All told, the Kazaa installation requires accepting 22,606 words of license agreements -- nearly five times the length of the US Constitution. Kazaa includes four separate licenses shown in three separate windows, only one of them affirmatively shown to users without users' specific request, but collectively totaling 182 on-screen pages. Kazaa's licenses further cite seven additional web pages purportedly included by reference.
See also installer screenshots; license agreements for Kazaa and its bundled software from Altnet and Claria; and license agreement screenshots.
Whereas the Kazaa installer showed so many lengthy licenses, LimeWire is notable for not showing or referencing any license agreement at all. See screenshots below, installing LimeWire without any mention of a license.
Since LimeWire contains no apparent bundled software, its on-disk presence might be expected to be smaller than its 61 folders and 864 files (the second-largest and largest additions among the programs I tested, as measured along those metrics; though simultaneously the second-smallest in both registry keys and values). My examination of the specific files and folders created by LimeWire reveals the reason for the many additions: More than half the folders created by LimeWire and more than 65% of files were associated with the Java runtime that LimeWire requires. Users who do not otherwise seek to run Java software may see these files as a burden. However, those who already have Java a runtime may not require any of these files or folders, making LimeWire's on-disk burden for such users among the smallest of tested programs.
My hands-on testing of LimeWire's application yielded only ads promoting the paid version of LimeWire, but no advertising for third-party products.
See also full-size installation screenshots.
Morpheus neither shows nor references any license for its own software. However, Morpheus shows a Direct Revenue license agreement and installs Direct Revenue software. At 4,492 words and 44 on-screen pages, Morpheus's DR license is the shortest of the license agreements analyzed in this article. But reading the license could be burdensome nonetheless. According to research conducted by Human Factors International, the average adult's reading speed is 250 to 300 words per minute, such that this license would still require 15 to 18 minutes to read in full.
Installation screenshots:
The Direct Revenue license contains a number of notable provisions:
See also full-size installation screenshots for Morpheus, as well as license agreement text and screenshots for Direct Revenue (as installed by Morpheus).
In addition to Direct Revenue, Morpheus's FAQ also discloses bundling of IBIS. A Slyck article dated February 10, 2005 discusses Morpheus's inclusion of IBIS, and a Google search yields hundreds of similar reports. However, in my testing, Morpheus's installer neither disclosed installation of IBIS nor actually installed IBIS. If Morpheus in fact installs IBIS, e.g. with some delay after installation, Morpheus's installation procedure offers no applicable disclosure and obtains no such consent.
In certain testing of February 2005, Morpheus showed no license agreement at all, and did not install Direct Revenue or other software.
This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
My interest in spyware originally arose in part from a prior consulting engagement in which I served as an expert to parties adverse to Gator in litigation. See Washingtonpost.Newsweek Interactive Company, LLC, et al. v. the Gator Corporation. More recently, I have served as an expert or consultant to other parties adverse to spyware companies.
Thanks to Mike Kneller for CSS tips.
Last Updated: March 7, 2005 - Sign up for notification of major updates and related work.