180solutions's
Misleading Installation Methods - Dollidol.com When a user receives 180 software from Dollidol.com, a close 180 distribution partner, the user cannot reasonably be said to have consented to 180's subsequent actions. To the extent that disclosures tell users about 180's effects, disclosures use such confusing euphemisms that users cannot discern what 180 will actually do. Furthermore, on-screen disclosures omit important practices that reasonable users would want to know about. |
Related Projects 180solutions & Affiliate Commissions WhenU Violates Own Privacy Policy Documentation of Gator Advertisements and Targeting |
180solutions uses a variety of installation practices to place its advertising software on users' PCs. For example, 180 has repeatedly been shown (by me [1, 2, 3, 4, 5] and others [1, 2, 3, 4, 5]) to become installed through security holes, without any notice or consent. 180 sometimes claims that such installations are rogue rule-breakers -- "the online equivalent of spammers," "deceptive," "bad actors," and "fraud." More recently, 180 has promised to stop such practices -- claiming its new "Safe and Secure Search" (S3) installation method will assure that users always grant consent before receiving 180solutions software.
But what is S3, and what kind of "consent" does it actually obtain? To find out, I look at installations of 180solutions software by Doll Idol (dollidol.com), a close 180 partner featured in a recent 180 blog entry. My examination shows numerous important shortcomings in Doll Idol's installation of 180 software. Some specifics:
Update: 180solutions representative Sean Sundall posted a response to this article in comments at ZDNet and at Vital Security. See my analysis and critique of his response.
Installation at Sites Targeted at Children
180's Zango software is promoted at Doll Idol, a site that is self-evidently targeted at children. Doll Idol's site features overstated cartoon characters, primarily female characters with a child-like appearance.
Doll Idol is but one of many 180solutions partners targeted at children. 180's Backstage Network press release mentions other sites seemingly targeted at children and youth. 180 partner sites offer cartoons (JibJab and Media Pickle), games (3DJoe, All Games Free, BoneLand, Kings of Chaos, and Newgrounds), popular music (Sir Mix-A-Lot), and even "sound effects for prank phone call needs" (Goonland). I previously described 180 installations at Ezone.com, a games site that specifically touted its suitability to children via specific wording in its privacy policy. Others recently reported 180 installations at a second-grade class's web site -- a site catering to kids both in its substance (class information) and its style (simple wording, childlike graphics).
Some adults may also be interested in some of the sites offering 180solutions. But in my experience, the majority of these sites are more likely to be of interest to children than to adults.
Installation Disclosures: Misleading Statements, Euphemisms, and Material Omissions
When Doll Idol encourages users to accept 180's Zango, Doll Idol and 180 fail to tell users about the material effects of installing Zango.
Doll Idol's front page invites users to "click here to begin," offering a "personalized avatar of the day" that is purportedly "powered by zango." But despite this reference to Zango, Doll Idol here provides no information about what Zango is, or about what it means for a portion of a web site to be "powered by" a software vendor. (Compare this nonstandard use of "powered by" with the phrase's more typical industry use, e.g. the eBay.com site describing itself as "powered by Sun" when it runs on Sun hardware.)
If a user clicks on either of the invitations at right, Doll Idol shows the image below (at left). This window's sole apparent purpose is to invite a user to click the prominent "Create New Avatar" button at top of page -- a button which will cause a user's PC to download 180's Zango EXE. But on my standard 800x600 test PC, the window appeared in the manner shown in the screenshot at left -- with the bottom portion of the window placed off the bottom edge of the screen, without any scroll bar available to bring the bottom portion of that window into view. Users therefore do not see the page's disclosure of 180's bundled advertising software -- a disclosure placed in the off-screen bottom third of the pop-up.
Doll Idol's "Create New Avatar" screen, as opened on my test PC. | Moving the window to view the 180 disclosure at window bottom. |
Even if a user received the window's disclosure, e.g. by moving the "Create New Avatar" window (as in the image above, at right) or by using a PC with a higher screen resolution, the disclosure fails to describe the material effects of 180's software. The disclosure admits that Zango shows "advertisements," but the disclosure does not mention that these ads appear as much-hated pop-ups. Furthermore, the disclosure mentions privacy consequences only indirectly: The disclosure says 180 "does not collect or share any personal information," but the disclosure fails to mention that 180 tracks what web sites users visit and that 180 sends this information to 180's main servers.
"Safe and Secure Search" Confirmation Screen: Misleading Statements, Euphemisms, and Material Omissions
If a user presses the "Create New Avatar" button in the screen above, the user receives a 180 Zango installer EXE. This installer shows a single screen that describes some 180 practices and embeds 180's license agreement. This is the "safe and secure search" (S3) confirmation screen 180 repeatedly touts (1, 2, 3, 4, 5, 6, 7, 8). But this screen cannot and does not cure the disclosure problems flagged above. To the contrary, the S3 screen actually adds new problems.
Like the preceding (off-screen) disclosure, this S3 screen describes 180's pop-up ads only as "advertisements." Here again, 180 fails to mention that its ads are pop-ups -- the characteristic of these ads that typical users would consider most important.
Also like the preceding screen, this S3 disclosure makes no affirmative mention of the privacy effects of installing 180's software. The S3 screen links to a separate privacy policy, but it omits even a brief description of the important privacy effects of installing 180 -- effects that reasonable users would want to consider when deciding whether to install 180's software.
Although computer experts are likely to realize that 180' S3 screen indicates an attempt to install software on their PCs, ordinary computer users are less likely to understand. Browsing the Doll Idol site, a user merely sought to edit graphics within the doll site's library, a task that need not require installing new software onto a user's computer. Furthermore, 180's vague and misleading disclosures fail to warn users that 180 is not a mere component of the Doll Idol site, but rather a separate program that will run permanently on users' computers (whether or not they even return to Dollidol.com). 180's on-screen text tends to further users' false impression that 180 is part of what they requested. For example, 180 places the misleading label "Finish" on its affirmative installation button -- falsely suggesting that pressing that button would finish the task the user sought to perform (creating a new avatar), when in fact that button finishes a task a user had never actually requested (installing 180solutions advertising software). A better label for 180's installation button would be "Accept installation" or "I agree."
180's S3 confirmation box also confuses users for lack of an "X" button in its upper-right corner. When confronted with an unwanted pop-up, users are widely instructed to press the "X" to safely remove the window. (See e.g. Anti-Spyware Coalition Safety Tips, bullet point 9.) By hiding this button, 180 prevents users from following standard safe browsing practices.
180's S3 window embeds a license window which ultimately provides some information about 180's practices and effects. But this window is deficient in formatting and design. Its typeface uses letters that are just seven pixels tall -- smaller than the letters used elsewhere in the window (in the main window text, on buttons, etc.). The first two pages of license text are in all-caps type, making reading especially difficult. Reading is also made more difficult by the odd shape of the window: The window is very wide but quite short, requiring users' eyes to move back and forth across a broad width while simultaneously scrolling down -- an arrangement that deters careful review. Finally, the window lacks any button or link to enlarge the license to a bigger window, and ordinary Windows clipboard copy functions (e.g. right-clicking, or selecting all text followed by pressing Control-C) cannot copy the window's text into a separate text viewer. As a result, users have no easy way to meaningfully review 180's license agreement.
That 180solutions shows a license agreement does not automatically make all provisions of its license agreement enforceable, according to recent spyware litigation by public authorities. In the FTC's suit against Enternet and in the NYAG's suit against Intermix, as in this 180solutions installer, vendors used lengthy license agreements without a clear and plain description of programs' actual effects. See FTC complaint against Enternet (PDF), paragraph 39, rejecting a EULA where it is "so broad and over-reaching that it does not convey adequate information to consumers." See NYAG complaint against Intermix (PDF), paragraph 9, rejecting a EULA that "hides" key passages "deep within lengthy, legalistic agreements" and rejecting a EULA with provisions that are "vague [and] incomplete."
By failing to disclose its tracking of users' activities in its prominent on-screen text, 180 also falls short of applicable industry guidelines. Consider TRUSTe Trusted Download Program's stated criteria (PDF). Provision III.A.2.a specifically requires that TRUSTe-certified adware disclose not just that it will show "advertisements" but also that it disclose the types of ads to be shown (e.g. pop-ups). Furthermore, III.A.2.b.ii. specifically requires that TRUSTe-certified adware disclose any monitoring it performs. Provisions II and III.A. require that these important disclosures appear in a "clear, prominent, unavoidable" "primary notice" actually shown to users, not merely in a EULA or similar appendix. So 180's EULA fails to meet industry standards for disclosure.
Discouraging Users from Removing 180
A variety of 180solutions practices deter users from removing Zango even if users explicitly express their intent to do so (i.e. by activating the Zango entry in Control Panel's Add/Remove Programs listing).
When a user selects Zango's entry in Add/Remove Programs, 180 shows a dialog box attempting to discourage removal. The dialog box begins by setting out the purported benefits of Zango (including the three bullet points at right). But 180 further issues a warning that is particularly likely to discourage removal: 180 states that "uninstalling Zango will disable any Zango-based applications or tools on your computer." 180 emphasizes this warning by showing it in a font larger than other text in the dialog box, and by formatting it with indentation, a distinctive background color, and a border box that all serve to further emphasize its apparent significance.
Despite 180's emphasis on the "will disable any Zango-based applications" warning, this message is a false alarm for those users who received Zango from Doll Idol: Such users do not have applications "based" on Zango, and therefore no applications will be disabled by removing Zango. So this warning is inapplicable as to such users -- but inexplicably 180 shows the message anyway.
Furthermore, in my hands-on testing of programs that come with Zango, this warning is largely false as to them too. Most such programs continue to function even if Zango is removed.
Users are further discouraged from removing Zango by the placement of buttons at the bottom of Zango's uninstall confirmation screen. Typical practice in Windows wizard-style dialog boxes -- windows with a large body section above a set of choice buttons -- is to put an affirmative button (i.e. "continue") at the bottom-right corner, and to put cancel at bottom-left. Furthermore, the affirmative button is generally the Windows default (indicated by a dotted outline and darker shadow). 180 reverses both of these conventions. In particular, 180 puts the "Keep Zango" button in the bottom-right corner -- the location that, by Windows convention, should be consistent with the user's prior request (to remove Zango).
When a user receives 180 software from Doll Idol, the user cannot reasonably be said to have consented to 180's subsequent actions. A user may have clicked a link, pressed an "open" button, and pressed "finish," but nowhere was the user fairly informed of the consequences of installation. Nowhere did 180 or Doll Idol admit to tracking what web sites users visit. Where a disclosure alluded to showing advertising, the warning used a euphemism so obscure that users cannot be expected to understand that ads would appear in pop-ups. Finally, 180's solicitation of installations at Doll Idol is ill-advised because the Doll Idol site targets children.
180 has the ability to correct these deficiencies. 180 could make it clear that its Zango software is not a part of Doll Idol's site and that Zango has effects far beyond Doll Idol's site. 180 could openly admit that its ads appear in pop-ups, and 180 could explain the actual privacy consequences of installing its software (rather than merely denying other harms that it claims its software won't cause).
Though my analysis focuses on a single site, Doll Idol's shortcomings are representative of current 180solutions installations offered on hundreds or thousands of web sites. To the extent that 180's S3 screen fails to provide appropriate notice of 180's true effects or otherwise fails to obtain meaningful consent, these failures occur across 180's network of installation partners.
Among 180 distributors, Doll Idol is on some level a "model" -- a distributor that 180 praises as the apparent pinnacle of 180's partners. But 180's S3 installation screens also appear in circumstances even less amenable to a proper installation. For example, 180's S3 screens were recently found in adware bundles foisted via bogus instant messages. I have also observed 180's S3 screen appearing among large adware bundles foisted without meaningful user consent or, in some cases, any consent at all. In these cases, disclosure shortcomings within 180's S3 screen become all the more serious: Users are particularly ill-equipped to assess the merits of 180's offer when it comes in the midst of a massive spyware attack. That 180 only installs if a user presses "Finish" does not mean affected users truly consent to 180's installation; to the contrary, as a result of 180's own disclosure failures, users press 180's "Finish" button and receive 180's software without a fair opportunity to learn what they're getting and why they might not want it.
180solutions representative Sean Sundall posted a response to this article in comments at ZDNet and at Vital Security. See my analysis and critique of his response.
Last Updated: January 15, 2006 - Sign up for notification of major updates and related work.