What’s So Hot About Hotbar? updated May 19, 2005

Last week Sunbelt announced that Hotbar sent Sunbelt a Cease and Desist letter, apparently demanding that Sunbelt stop detecting Hotbar software and offering users an option to remove it. I immediately updated my Threats page. But then I started wondering: How does Hotbar get onto users’ PCs? And what does Hotbar do once installed?

My new Hotbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Meanwhile, Hotbar’s C&D indicates that their software is no longer detected by Microsoft Anti-Spyware, Lavasoft Ad-Aware, or McAfee. Why not? Consider Microsoft’s policy statement: “Windows AntiSpyware (Beta) alerts the user to the presence of any automatic pop-up advertising appearing outside the context of the program they are currently using.” This certainly describes Hotbar’s pop-up ads. Yet somehow Hotbar has caused — convinced? persuaded? threatened? — Microsoft not to detect their program.

Of course Hotbar is not the only party to blame. Hotbar’s ads arrive at kids sites through ads syndicated by Fastclick (NASDAQ: FSTC). As a publicly-traded company, surely Fastclick could find a better business than foisting advertising software onto unsuspecting kids.


I’ve recently received a copy of the Cease and Desist letter (PDF) Hotbar sent to Sunbelt. Sunbelt says they’ll be responding shortly, and I’m looking forward to reading their response. Meanwhile, some inaccuracies in the letter are so egregious that I feel obliged to note them immediately.

Hotbar claims to provide its users with “explicit explanations” of its services, and Hotbar therefore claims that users “provide … full conscious consent to each and every aspect of Hotbar software.” That’s not what I’ve seen when I’ve tested Hotbar. Rather, I have observed Hotbar install without even mentioning the word “ads” until a screen at which users aren’t given a “cancel” button. And nowhere does Hotbar affirmatively show users any mention of its numerous forms of ads (pop-ups, pop-unders, toolbar ads, auto-opening sidebars, and even desktop icons). To say Hotbar users “consent to each and every aspect” is truly a puzzling misstatement of the facts — that’s not what I’ve observed, nor is it what I’ve chronicled in screenshots and videos.

Hotbar then claims that Sunbelt “misrepresent[s]” Hotbar when it calls “Hotbar” adware. I don’t get it. How else is Sunbelt supposed to describe a program that tracks users’ online activities and shows ads, including pop-up ads? If Claria is adware — and even Claria says it is! — then surely Hotbar is properly called adware too. Perhaps reasonable people could disagree about the propriety of calling Hotbar spyware. But “adware”? No.

Telling the Truth about Installation Tactics

Installation practices occupied center stage at last week’s CNET Download.com‘s anti-spyware conference. Many of the companies whose installation practices I’ve criticized attempted to defend those practices or deflect attention from them. But their explanations and excuses don’t stand up to critical examination.

Does Claria Target Kids? Take Two…

At the CNET conference, I showed my slides of Claria’s misleading ads on kids sites. The audience seemed to think the slides are pretty damning: Claria shows an ad that looks like a Windows dialog box, though it’s not; Claria offers a clock-synchronizing program (which Windows XP users don’t need); Claria installs software with just two clicks; and Claria doesn’t show a license until after the user accepts the installation. All this, on sites targeted at kids — sites with privacy policies that say so, in case the cartoon graphics, simple language, and underlying content (often cartoon video games) weren’t clear enough.

Claria’s CEO, Jeff McFadden, responded in part by claiming that the Ezone site (the example I focused on) isn’t really targeted at kids:

“… There’s a second thing that was mentioned, that this is a kids site. I’m not sure what homework was done on this, because there’s an IDC report that says that online gaming sites, the average age of people who visit those sites is 29. I don’t know if anyone has done a demographic study of this particular site. I was shocked to find that even the Neopets web site that my daughters at home use quite frequently has a very large constituency of housewives that use the site. So we do not ‘target’ kids sites. … ”

conference archive, session 2 recording (MP3), from 1:05:00 to 1:12:38 (excerpt – WindowsMedia), in response to my question at 55:50 to 57:50 (excerpt). See also panelists’ responses at 57:50 to 1:05:00 (excerpt).

IDC may be right that the average age of gaming site visitors is 29. But I doubt demographics are similar at cartoon video game sites like Ezone. With titles like “Beetle Junior” and “Turtle Bay,” it’s hard to think the sites could retain a major adult audience.

What would it take to convince Jeff that the Ezone site really does cater to kids, and that it isn’t an appropriate place to solicit new installations of Claria’s advertising software? Last month I posted several other examples of Claria ads on (what I claim to be) kids sites — not just Ezone, but also a site called Fingertime Games (“lunar mouse house,” “junk food jack” and other games). Today I’m adding one more, which I think is even more clearly targeted at kids. For starters, the site is called Kidzpage — its very name a play on “kids.” Its title bar and “welcome” text both say it’s “for children.” Its advertisement pitch specifically says it’s “for kids and adults … family and students … school-aged children along with the ‘grown-ups’ who supervise them.” It’s linked from Yahooligans (Yahoo for kids). Can anyone seriously dispute that users obtained at such a site will include kids who didn’t know what they were getting, and who couldn’t reasonably consent?

A Claria ad within a site catering to kids.  Note cartoon-style graphics and lettering.  Note "for children" within title bar.

Beyond targeting kids, there’s plenty more wrong with this Claria installation method. See my earlier write-up for discussion of fake-user-interface, unneeded programs, and failure to show a license until after installation occurs. See also Eric Howes‘s Adware Installations of 2005, showing other Claria installations with similar shortcomings.

Ask Jeeves’ Problems: Non-consensual Installations, Semi-consensual Installations

Installation practices seem to be a question that IAC CEO Barry Diller doesn’t fully understand, or at least doesn’t care to talk about. In an earnings call last week, he said AJ “doesn’t have an issue with either spyware or adware.” But more than denying that AJ faces exposure here, Diller didn’t even want to discuss the matter. He continued: “It is an issue, obviously, but it is not our issue. And that’s that. Next question, please?”

Diller is right that the AJ toolbars aren’t either spyware or adware (as I use the terms). After all, the AJ toolbar doesn’t obviously collect much information about what users do (though I don’t fully understand all of AJ’s transmissions). And the AJ toolbar doesn’t show the annoying pop-ups common to most “adware.” (That said, AJ’s toolbar leads users to web pages with lots of PPC ads syndicated from Google. So if some AJ installations are wrongful, remember that Google revenues are ultimately funding AJ’s activities. Google staff tell me they’re “looking into it.”)

But Diller is wrong to so quickly conclude AJ has no problem here, merely because AJ doesn’t make spyware or adware. If AJ software is becoming installed through security holes w/ no notice or consent (it is), and if AJ is offering payments to those who perform these wrongful installations, AJ has a problem no matter how praiseworthy AJ’s software may be. Similarly, if AJ is installing without showing or even referencing a license, while using euphemisms that fail to properly disclose even the most general effects of the programs to be installed (again all true), AJ has a lot to improve. Same if the AJ license agreement is buried at page 48 of a license agreement users aren’t even shown unless they specifically request it (see Kazaa installer).

The basic legal theory — clearly articulated in the NYAG’s complaint against Intermix — is that users ought to control what software runs on their computers. So installations are only proper when they occur with user consent, after clear and straightforward disclosures. Omit the disclosures, or phrase them so euphemistically that users can’t reasonably understand, then the software installation becomes a trespass.

I don’t always agree with Marquette professor Eric Goldman. (In particular, I can’t agree with his calls for narrow liability for actions of distributors and advertisers. This seems like a recipe for unaccountability and for rewarding bad actors. Eric’s approach would encourage “adware” vendors to look the other way when their software is installed wrongfully, and would give a free pass to those who advertise through software installed improperly.) But interestingly Eric and I seem to see AJ the same way — the key question being whether AJ’s installation disclosure and consent is up to par.

180solutions Continues to Become Installed Without Any Consent At All

Representatives from 180solutions made the sensible decision not to claim, within the official CNET conference sessions, that their programs install only with consent. After all, I had screenshots and videos providing the contrary.

But in a video interview made mere minutes before, 180solutions COO Daniel Todd told Dow Jones Marketwatch that “180solutions does not install software on people’s computers without consent.” Only upon further pressing by the interviewer does Todd back-peddle, admitting that some 180 distributors install 180 software with “no consent” or without (what Todd considers) adequate consent.

So Todd admits that some 180 installs are nonconsensual. Yet 180’s web site continues to claim that its software is “permission based” and “only downloaded with user consent.”

Which one is right? My November and March videos show nonconsensual 180 installations in great detail. (I’ll post still more videos in the coming weeks, as to 180 as well as Direct Revenue, eXact Advertising, and many others.) So Todd’s ultimate admission is accurate. Not so for the “only … with … consent” promises on 180’s web site.

Todd later stated that 180 has 7,000 to 10,000 distributors. That’s a huge number — it underscores the practical difficulty of 180 performing meaningful oversight of what its distributors are doing. With so many installation “partners” and so little enforcement or quality control, 180 has created a monster. Who’s going to fix it, and when?

Direct Revenue Commission Skimming

In my final visit to the CNET Q&A microphone, I mentioned Direct Revenue “skimming off the top” — invoking affiliate commission links to claim commissions on purchases users were already making. I previously documented this same behavior by 180solutions — finding it surprisingly widespread, yet reportedly an easy way to make money. (Last year 180 told MSNBC that it made more than $100,000 from Dell in just one month in late 2003.)

Direct Revenue’s commission-skimming was relatively easy to spot — with telltale signs in users’ cookies folders, not to mention noticeable popunders and, as usual, clear records in packet sniffers. So I was pleased to learn that affiliate network Commission Junction has already noticed this scam and, reportedly, taken action. So perhaps there’s less need for me to post the various videos, screenshots, packet logs, and other proof I’ve been accumulating. Instead, I’ll soon be focusing on reporting DR advertisers — some shocking examples, like American Express ads continuing to target kids sites.

Does Jeeves Ask for Permission?

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like “accessible directly from your browser” rather than explicitly admitting that it will install a web browser toolbar.

But that’s not the worst of AJ’s practices. Over the past six months, I’ve captured a series of videos showing Ask Jeeves’ MyWay and MySearch software installed through security holes — without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar — without me ever requesting anything, and without me ever clicking “Yes” or “Accept” in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. In this same testing, I also received installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network — Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I’m surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.


The biggest news last week was a lawsuit filed by the New York Attorney General’s office against Intermix Media, whose KeenValue, IncrediFind, and other programs show popup ads, add extra browser toolbars, and intercept error messages. These practices are objectionable in and of themselves, but the complaint focuses on the programs’ misleading installations. Sometimes the programs install with no notice at all, the complaint says, and sometimes only with hidden or misleading disclosures users are unlikely to notice or understand.

I have the sense that this suit is the first of many. There are certainly plenty of similar offenders, even big companies with major venture capital funding. I have often written about software from 180solutions, Direct Revenue, and eXact Advertising installing through security holes, practices I’ve continued to observe (including in the video linked above). And Claria’s tricky installations share many of the deceptive characteristics the AG attributes to Intermix, like hiding key terms in “lengthy, legalistic license agreements” and using “vague, incomplete” disclosure text. (See NYAG complaint (PDF), paragraph 9.) So I doubt the NY AG’s office would approve of the Ask Jeeves practices I’m documenting today, nor the other misleading tactics on my spyware installation methods index.

Misleading Installations of the Week: PacerD, and Claria’s Dope Wars

It’s Monday morning, so time for more misleading installations. Just like last week, I couldn’t stop at only a single example; again I’m providing two.

PacerD’s misleading pop-ups ask users to “please click yes” to accept “free browser enhancements.” In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD’s mislabeled (apparent, purported) license agreement, which in turn is only shown at a user’s specific request. But click “Yes” once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

The PacerD Installation Bundle

As usual, Claria’s approach is somewhat more subtle. When Claria bundles its advertising software with the “Dope Wars” video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few “Dope Wars” players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they’ll do so without first understanding what Claria will do to their PCs.

Claria’s Misleading Installation Methods – Dope Wars

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria’s interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users’ computers into advertising channels — tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

Misleading Installations of the Week: Claria and 180 at Kids Sites

“Adware” companies say their businesses are predicated on user consent. (Claria: “… consumers who agree … “; 180: “permission-based … opt-in”). Notwithstanding, companies’ claims, there’s no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don’t understand what they’re getting — due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they “accepted” these programs.

Ezone.com, a site targeting children, that nonetheless promotes 180solutions.Can we say that a user “consents” to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If “authorizing” the installation required only that the user click on an ad, then click “Yes” once? If the program’s license agreement was shown to the user only after the user pressed “Yes”? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Details: Claria’s Misleading Installation Methods – Ezone.com

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently described as removing advertisements? Where the installation description uses euphemisms like “show … sponsor websites” but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Details: 180solutions’s Misleading Installation Methods – Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I’m not inclined to say that consumers “consent” to the resulting ads and to the resulting transmission of personal information.

New Series on Spyware Installation Methods

So-called “adware” companies say nonconsensual installations of their programs are just an “urban legend.” (See section 7 of 180’s claims in a recent interview.) But when I talk to users whose computers have become infected, I’m consistently told that they don’t know how they got the unwanted programs, and they say they certainly didn’t consent. How can we understand this divergence? How are users PCs receiving this unwanted software?

My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users’ computers. Some installations rely on tricking users — for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want — sometimes telling users what they’re getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits — without any user consent at all, thanks to defects in users’ web browsers or other software. (See the security hole video and write-up I posted last fall.)

There’s lots to be done in documenting how unwanted software gets onto users’ PCs. My Installation Methods page indexes my work to date, to the extent it’s posted online. But I have much more documentation still to be posted — for example, scores more videos showing security exploits. I’ll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I’m still looking! Send suggestions.)


Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.  Even diligent users ultimately have no way to know in advance what 3D will install on their PCs.Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.

Today I’m also starting what I intend to be a series of weekly updates to my site — tentatively entitled “misleading installation of the week.” Sometimes I’ll show massive security hole exploits that render users’ computers nearly useless, but sometimes I’ll post more “ordinary” infections that “merely” show extra ads or send users’ browsing habits to a remote server. At every turn I’ll emphasize the trickery common to most installation methods — the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to “accept” software that offers them little or no genuine benefit.

I’m starting this series with an analysis of software from 3D Desktop. 3D’s Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what’s included, users must puzzle through a dizzying array of licenses — scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don’t track users’ behavior, but my hands-on testing proves otherwise. Details:

3D Desktop’s Misleading Installation Methods

Interestingly, BlazeFind’s license mentions that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to “clean up” its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.

What P2P Programs Install What Spyware?


A misleading installation procedure -- with multiple licenses combined into a single scroll box, and offering to install programs without providing even a brief description of their purposes or effects.A misleading installation procedure — with multiple licenses combined into a single scroll box, and offering to install programs without providing even a brief description of their purposes or effects

Request a peer-to-peer filesharing program, and you may be surprised what else gets installed too. I’ve tested five major P2P programs and analyzed their bundled software. Licenses stretch to as long as 22,000+ words and 180+ on-screen pages. Some P2P apps add additional programs disclosed only in license agreement scroll boxes. And it’s not uncommon for a P2P app to create thousands of registry entries. But at least one major P2P program bundles no extra software at all.

My full article analyzes what programs come with what extra software. I have also posted screen-shots of each screen of the lengthy license agreements, and I’ve noted scores of license anomalies such as broken links, missing section-heading formatting and line breaks, important omissions, and surprisingly one-sided substantive provisions.

Details:

Comparison of Unwanted Software Installed by P2P Programs

How Google’s Blogspot Helps Spread Unwanted Software

Google claims to be on the right side of the spyware problem. Its May 2004 Software Principles set out lofty (if somewhat vague) standards for installation notice consent. Its Google Toolbar installer gives impeccable disclosure and obtains true, meaningful, informed consent. (See page 7 of my FTC Comments (PDF).) And Google is a victim of spyware: I’ve tested and studied a number of programs that add bogus search results and advertisements to Google.com results, tarnishing Google’s brand and siphoning advertising revenues that would otherwise accrue to Google.

Yet Google is far from blameless in the spyware battle. Of particular concern: Numerous blogs hosted at Google’s Blogspot service contain JavaScript that tries to trick users into installing unneeded software. At one such blog, users are offered a misleading popup that falsely claims "You have an out of date browser which can cause you to get infected with viruses, spam, and spyware. To prevent this, press YES now." If a user declines, the user is shown a second popup instructing "Click Yes to upgrade," followed by the first popup again. If the user declines a second time, a further popup claims "We strongly recommend you upgrade … Click YES Now!" See screenshots below.

A misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page.

If a user presses yes, the user receives certain extra software, often including software that many users would call spyware. The screenshots above show an attempted installation of Elitetoolbar. I have also observed similar popups attempting to install software from Crazywinnings (repeatedly falsely claiming "you have to click yes to continue" if users initially decline the installation) and from Direct Revenue. See a video of the repeated Crazywinnings installation attempts. See also additional screenshots (1, 2, 3, 4) of other software installations and/or other infected Blogspot pages.

Who’s Responsible, and Who’s Able to Stop This Mess?

The popups at issue come from a service called iWebTunes.com. iWebTunes recruits blog authors by giving them music to add to their blogs or other web sites. But as users view the resulting blogs, iWebTunes shows software installation popups to attempt to foist extra programs onto users’ computers. These programs likely pay iWebTunes a commission for each resulting installation.

Users have reported unwanted software offered by Blogspot sites since at least September 2004. See a September 15, 2004 blog post complaining of spyware received from iWebTunes. I reported these problems to Google staff last week, including a specific example of an infected site. But so far Google has taken no action to stop the misleading popups on this site or others. A recent Blogspot tech support response admitted the problem, at least generally, but offered no specific approcah or timetable for resolution.

What should Google do? Google already disallows JavaScript within Blogspot.com posts. (Screenshot.) Apparently Google considers embedded JavaScript too risky — too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed. Disallow the JavaScript interface by which iWebTunes gets added to Blogspot pages, so Blogspot pages can no longer trigger misleading JavaScript and ActiveX popups from iWebTunes or elsewhere. Of course some JavaScript code is entirely harmless — like the scripts that embed Google AdSense ads, comments, or polls. But Google should hesitate to permit JavaScript from unknown or known-hostile sources.

So Google is in a natural position to stop this problem. But it’s not the only company that could take action here. As I pointed out earlier this month, VeriSign plays a key role in authorizing ActiveX security warnings like that shown above: The misleading popups are only shown if they carry valid digital certificates, and VeriSign is the primary issuer of such certificates. VeriSign’s existing rules disallow using VeriSign-issued certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” I consider the programs above to be harmful for their addition of unwanted software including toolbars, silent auto-updaters, and systems that track and transmit certain personal information. Especially when combined with the popups’ false claims ("… out of date browser" and "you have to click yes") and especially in light of the other misleading circumstances of installation, I see ample basis to conclude that the popups are malicious. These software installation attempts are therefore arguably prohibited by existing VeriSign rules. But I’ve seen little sign of VeriSign acting to enforce its rules. VeriSign’s code signing site offers no obvious standards or procedures for assessing or reporting violations.

More on Google and Spyware: Sponsored Link Advertising from So-Called Spyware Removers

These misleading Blogspot popups are not Google’s only ties to spyware companies. Eric Howes has posted a warning he calls Google & Anti-Spyware Products: Be Wary of Paid Search Results. Eric and others have put together a list of “rogue/suspect” anti-spyware applications that are at best useless (failing to detect or remove bona fide spyware) and at worst malicious (installing new spyware of their own). Comparing current Google advertisers for a search on "spyware" with Eric’s impressively detailed list yields surprisingly numerous matches.

According to Google’s Software Principles, companies should "keep good company" by avoiding doing business with those who don’t meet ethical standards. Yet Google somehow continues to show ads for — and accept advertising payments from — companies whose supposed anti-spyware tools merely take advantage of users’ spyware worries. Google has made some progress at cleaning up the most dishonorable advertising for anti-spyware searches, but its AdWords advertising remains a poor, unreliable source for consumers to find reputable, high-quality anti-spyware applications.

How VeriSign Could Stop Drive-By Downloads updated February 22, 2005

VeriSign hates spyware — or so suggests CEO Stratton Sclavos in a recent interview. Even his daughter’s computer got infected with scores of unwanted programs, Sclavos explains, but he says VeriSign is helping to solve this problem. The ironic reality is Sclavos’ daughter’s computer was most likely infected via popups that appeared trustworthy only thanks to certificates issued by VeriSign. If Sclavos is serious about cracking down on spyware, VeriSign can end many deceptive installation practices just by enforcing its existing rules.

Drive-By Installs, Digital Signatures, and VeriSign’s Role

In 2002, Gator introduced ActiveX “drive-by downloads” — popups that attempt to install unwanted software onto a user’s PC as a user browses an unrelated web site. Today, Windows XP Service Pack 2 offers some protection by blocking many drive-by installation attempts. But for users with earlier versions of Windows, who can’t or don’t want to upgrade, these popups remain a major source of unwanted software. (And even SP2 doesn’t stop all drive-bys. For example, SP2 users with Media Player version 9, not the new v10, are still at risk.)

Even though Microsoft can’t (or won’t) fully fix this problem, VeriSign can. Before an ActiveX popup can install software onto a user’s computer, the installer’s “CAB file” must be validated by its digital signature. If the signature is valid, the user’s web browser shows the ActiveX popup, inviting a user to install the specified software. But if the signature is invalid, missing, or revoked, the user doesn’t get the popup and doesn’t risk software installation.

Microsoft has accredited a number of providers to offer these digital certificates. But in practice, almost all certificates are issued by VeriSign, also owner of Thawte, previously the second-largest player in this space. (See a findlaw.com antitrust discussion message noting that, as of February 2000, the two providers jointly held 95% of the digital certificate market.)

Through existing software systems, already built into Internet Explorer and already implemented by VeriSign servers, VeriSign has the ability to revoke any certificate it has previously issued, disabling ActiveX installations that use that certificate. See VeriSign’s Certificate Revocation List server (crl.verisign.com) and Microsoft Certificates documentation of the revocation system.

I suggest that VeriSign can and should use its existing certificate revocation system to disable those certificates issued or used in violation of applicable VeriSign rules.

Examples of the Problem, and A Specific Proposal

Consider the three misleading ActiveX installers shown below. The first gives an invalid company name (“click yes to continue”). The second gives a misleading/missing product name (“virus free”). The third was shown repeatedly, between popups that falsely claimed “In order to view this site, you must click YES.” Click on each inset image to see a full-size, uncropped version.

An ActiveX installer with a misleading company name, purportedly  "click yes to continue." An ActiveX installer with a misleading product name ("VIRUS FREE").

Each of these misleading installations is contrary to VeriSign contract, contrary to VeriSign’s duty to its users, and contrary to VeriSign’s many promises of trustworthiness. In the first installer, VeriSign affirmatively certified the “click yes to continue” company name — although it seems that there exists no company by that name, and although that company name is facially misleading as to the purpose of the installation prompt. In the second and third examples, VeriSign certified companies that subsequently used VeriSign’s certification as a necessary step in deceiving users as to the function of and (alleged) need for their programs.

Given VeriSign’s claims (such as its old motto, “the value of trust”), VeriSign should want to put an end to these practices. When VeriSign certificates are issued wrongfully (as in the first example) or are used deceptively (as in the second and third), VeriSign should take action to protect users from being tricked. In particular, when an application offers a facially invalid and misleading company name, VeriSign should refuse to issue the requested certificate. When an applicant violates basic standards of truth-telling and fair dealing, VeriSign should revoke any certificates previously issued to that applicant.

Why VeriSign Should Get Involved

VeriSign’s intervention would be entirely consistent with its existing contracts with certificate recipients. For example, section 11.2 (certificate buyer’s representations) requires a certificate buyer to represent that it has provided accurate information — including an accurate company name. The purported company name “click yes to continue” surely violates the accuracy requirement, meaning the certificate supporting the first popup above is prohibited under VeriSign rules.

Furthermore, VeriSign’s section 4 (“Use Restrictions”) prohibits using VeriSign certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” The dialers, toolbars, tracking systems, and advertising systems provided by the second and third popups are indisputably inconvenient for users. I claim the resulting software is also “malicious” and/or “harmful” in that it tracks users’ personal information, slows users’ computers, shows extra ads, and/or accrues long-distance or 900 number access costs. So these installation prompts also violate applicable VeriSign rules.

VeriSign’s contracts grant VeriSign the power to take action. Section 5 explains that “VeriSign in its sole discretion retains the right to revoke [certificates] for [certificate buyers’] failure to perform [their contractual] obligations.” So VeriSign has ample contractual basis to revoke the misleading certificates.

Contractual provisions notwithstanding, I anticipate certain objections to my proposal. The obvious concerns, and my responses —

  • It’s too hard and too costly for VeriSign to find the wrongdoers. But VeriSign is a huge company, and a market leader in online security, infrastructure, and trust. Also, confirming the legitimacy of certificate recipients is exactly what VeriSign is supposed to be doing in the course of its certificate issuance. VeriSign charges $200 to $600 per certificate issued. At present it’s unclear what verification VeriSign performs — what work VeriSign does to earn $200+ for each certificate issued. The procedures I’m proposing might require a few new employees and some ongoing effort. But for a company precisely engaged in the business of certifying others’ practices, this testing is appropriate. Even if enforcement is costly, VeriSign stands to lose much more if it dilutes its brand and “trust” promise by failing to stop deceptive installations occurring under the guise of VeriSign certificates.
  • There are some difficult border cases. I agree that not all ActiveX installers are as outrageous as those shown above. For example, Claria’s installers lack the most outrageous of the deceptive practices above — they give Claria’s true company name, and they don’t explicitly claim that installation is required. Yet Claria’s installers still have major deficiencies. For example, Claria’s installers fail to admit that Claria software will not just “monitor” user information but also collect and store such data (in what is reportedly the seventh largest database in world), and Claria’s software repeatedly tries to install even if users decline when initially asked. What should VeriSign do with a case like Claria? I consider Claria’s installation practices deceptive and unethical, but I’m not sure it’s VeriSign’s role to make Claria stop. However, the existence of some hard decisions doesn’t mean VeriSign shouldn’t at least address the easy cases.
  • XP SP2 already solved the ActiveX problem, so this is irrelevant. I disagree. Tens of millions of users still run old versions of Windows. Some users can’t afford the cost of an upgrade (new software plus, for many users, faster hardware). Others cannot upgrade due to corporate policies or compatibility concerns. Then there are problems for which even SP2 doesn’t offer full protection: WindowsMedia files can still open ActiveX popups and installer decoys that try to trick users into authorizing installations.

VeriSign’s intervention would make a big difference. VeriSign could stop many misleading software installation practices, including those shown above, and block what remains a top method of sneaking onto users’ PCs. Unlike spammers who switch from one server to another, spyware distributors can’t just apply for scores of new digital certificates, because each application entails out-of-pocket costs.

Plans for an Enforcement Procedure

Enforcement of invalid company names would be particularly easy since VeriSign already has on hand the purported company names of all its certificate recipients. Entries like “click yes to continue” stick out as facially invalid. Simply reading through the list of purported company names should identify wrongdoers like “click yes to continue” — applicants whose certificates should be investigated or disabled.

It’s admittedly somewhat harder for VeriSign to stop certain other deceptive practices that use VeriSign-issued certificates. While VeriSign knows the company names associated with all its certificates, VeriSign’s systems apparently don’t currently track the purported product names signed using VeriSign certificates. Furthermore, VeriSign receives no special warning when a certificate recipient uses tricky JavaScript to repeatedly display an installation attempt or to intersperse displays with “you must click yes” (or similar) popups.

But VeriSign could at least establish a formal complaint and investigation procedure to accept allegations of violations of applicable contracts. Other VeriSign departments offer web forms by which consumers can report abuse. (See e.g. the SSL Seal Report Misuse form.) Yet VeriSign’s Code Signing page lacks any such function, as if wrongdoing were somehow impossible here. Meanwhile, those with complaints have nowhere to send them. Indeed, I’ve reviewed complaints from Richard Smith and others, flagging both wrongly-issued certificates and the need for a complaint procedure, and raising these issues as early as January 2000.

Of course, beyond receiving and investigating consumer complaints, VeriSign could also run tests on its own — affirmatively seeking out bad actors who use VeriSign certificates contrary to VeriSign’s rules.

Update: Reponses from VeriSign and eWeek’s Larry Seltzer

After I published the article above, I received two responses from VeriSign staff. Phillip Hallam-Baker, VeriSign’s Chief Scientist, wrote to me on February 4 (the day after I posted my article) to say that “Click yes to continue was disabled yesterday.” Staff from VeriSign’s “Certificate Practices” department subsequently wrote to discuss current practices and to ask what more VeriSign could do here. They all seemed pretty reasonable — willing to admit that VeriSign’s practices could be better, and interested in reviewing my findings.

In contrast, I was struck by the response from eWeek‘s Larry Seltzer. Larry apparently spoke with VeriSign PR staff at some length, and he liberally quotes VeriSign staff defending having issued a certificate to “Click Yes to Continue.” Saying that I “may have jumped to a conclusion,” Larry seems to credit VeriSign’s claim that the bogus certificate problem was “basically all over” as soon as (or even before) I posted my article. I emphatically disagree. There are hundreds (thousands?) of certificates that continue to break VeriSign rules — for example, claiming to be security updates when they are not, or claiming “you must press yes” when they’re not actually required. (See also VeriSign-issued certs supporting misleading popups shown at Google Blogspot.) VeriSign may prefer not to enforce its own rules, prohibiting “distribut[ing] malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” And Seltzer may think VeriSign shouldn’t have such rules. But the rules do exist — VeriSign itself wrote them! — and the rule violations are clear and ongoing. That VeriSign revoked a few egregious certificates after I posted my article doesn’t mean VeriSign’s practices are up to par otherwise. What about all the other certs that break the rules?

Finally, Seltzer claims that VeriSign told me Click Yes to Continue is a valid company name. Nope. First, the premise is wrong; that’s just not a valid company name, because it’s facially misleading. Second, VeriSign never told me any such thing: I have carefully reviewed my email records, and no VeriSign staff person made any such statement. (To the contrary, see the Hallam-Baker quote above, admitting that Click Yes was in violation and was disabled.) Maybe VeriSign should spend more time investigating its rule violations, and less time trying to smear those who criticize its poor enforcement record.