New Series on Spyware Installation Methods

So-called “adware” companies say nonconsensual installations of their programs are just an “urban legend.” (See section 7 of 180’s claims in a recent interview.) But when I talk to users whose computers have become infected, I’m consistently told that they don’t know how they got the unwanted programs, and they say they certainly didn’t consent. How can we understand this divergence? How are users PCs receiving this unwanted software?

My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users’ computers. Some installations rely on tricking users — for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want — sometimes telling users what they’re getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits — without any user consent at all, thanks to defects in users’ web browsers or other software. (See the security hole video and write-up I posted last fall.)

There’s lots to be done in documenting how unwanted software gets onto users’ PCs. My Installation Methods page indexes my work to date, to the extent it’s posted online. But I have much more documentation still to be posted — for example, scores more videos showing security exploits. I’ll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I’m still looking! Send suggestions.)


Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.  Even diligent users ultimately have no way to know in advance what 3D will install on their PCs.Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.

Today I’m also starting what I intend to be a series of weekly updates to my site — tentatively entitled “misleading installation of the week.” Sometimes I’ll show massive security hole exploits that render users’ computers nearly useless, but sometimes I’ll post more “ordinary” infections that “merely” show extra ads or send users’ browsing habits to a remote server. At every turn I’ll emphasize the trickery common to most installation methods — the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to “accept” software that offers them little or no genuine benefit.

I’m starting this series with an analysis of software from 3D Desktop. 3D’s Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what’s included, users must puzzle through a dizzying array of licenses — scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don’t track users’ behavior, but my hands-on testing proves otherwise. Details:

3D Desktop’s Misleading Installation Methods

Interestingly, BlazeFind’s license mentions that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to “clean up” its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.

Threats to Spyware Critics

The past three months have brought a dramatic spike in threats, demand letters, and “requests” — sent from companies who make unwanted software (some might call the programs spyware) to those who detect, remove, block, or write about these programs.

Threatening or suing critics isn’t a new idea. Claria made headlines in September 2003 when it filed suit against PC Pitstop, alleging unfair business practices, trade libel, defamation, and interference with contract arising out of PC Pitstop’s description of Claria’s software. But with more and more threats with each passing week, it’s becoming hard even to keep track of the accusations. I’ve therefore put together a new table listing complainants, targets, and summarized demands.

Details:

Threats Against Spyware Detectors, Removers, and Critics.

Advertisers Supporting eXact Advertising


A Netflix ad, one of many ads shown by eXact Advertising

I’ve repeatedly seen software from eXact Advertising installed through security holes, in poorly-disclosed bundles, or otherwise without meaningful (or any) notice and consent. What kind of advertisers would support a company that gets on users’ PCs in these ways? I was surprised to find scores of well-known firms promoted by eXact — including Apple, Chase, Circuit City, Dell, Expedia, Netflix, and Vonage. Cross-referencing eXact’s partner list with TRUSTe’s member list, I found 85 matches.

My full article gives screenshots of eXact’s ads, along with information about the triggers that cause eXact to display certain ads. I also discuss how eXact manages to promote some merchants and to receive payments from such merchants without those merchants having specific knowledge of what is occurring, nor giving their explicit consent.

Details:

Advertisers Supporting eXact Advertising

What P2P Programs Install What Spyware?


A misleading installation procedure -- with multiple licenses combined into a single scroll box, and offering to install programs without providing even a brief description of their purposes or effects.A misleading installation procedure — with multiple licenses combined into a single scroll box, and offering to install programs without providing even a brief description of their purposes or effects

Request a peer-to-peer filesharing program, and you may be surprised what else gets installed too. I’ve tested five major P2P programs and analyzed their bundled software. Licenses stretch to as long as 22,000+ words and 180+ on-screen pages. Some P2P apps add additional programs disclosed only in license agreement scroll boxes. And it’s not uncommon for a P2P app to create thousands of registry entries. But at least one major P2P program bundles no extra software at all.

My full article analyzes what programs come with what extra software. I have also posted screen-shots of each screen of the lengthy license agreements, and I’ve noted scores of license anomalies such as broken links, missing section-heading formatting and line breaks, important omissions, and surprisingly one-sided substantive provisions.

Details:

Comparison of Unwanted Software Installed by P2P Programs

How Google’s Blogspot Helps Spread Unwanted Software

Google claims to be on the right side of the spyware problem. Its May 2004 Software Principles set out lofty (if somewhat vague) standards for installation notice consent. Its Google Toolbar installer gives impeccable disclosure and obtains true, meaningful, informed consent. (See page 7 of my FTC Comments (PDF).) And Google is a victim of spyware: I’ve tested and studied a number of programs that add bogus search results and advertisements to Google.com results, tarnishing Google’s brand and siphoning advertising revenues that would otherwise accrue to Google.

Yet Google is far from blameless in the spyware battle. Of particular concern: Numerous blogs hosted at Google’s Blogspot service contain JavaScript that tries to trick users into installing unneeded software. At one such blog, users are offered a misleading popup that falsely claims "You have an out of date browser which can cause you to get infected with viruses, spam, and spyware. To prevent this, press YES now." If a user declines, the user is shown a second popup instructing "Click Yes to upgrade," followed by the first popup again. If the user declines a second time, a further popup claims "We strongly recommend you upgrade … Click YES Now!" See screenshots below.

A misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page.

If a user presses yes, the user receives certain extra software, often including software that many users would call spyware. The screenshots above show an attempted installation of Elitetoolbar. I have also observed similar popups attempting to install software from Crazywinnings (repeatedly falsely claiming "you have to click yes to continue" if users initially decline the installation) and from Direct Revenue. See a video of the repeated Crazywinnings installation attempts. See also additional screenshots (1, 2, 3, 4) of other software installations and/or other infected Blogspot pages.

Who’s Responsible, and Who’s Able to Stop This Mess?

The popups at issue come from a service called iWebTunes.com. iWebTunes recruits blog authors by giving them music to add to their blogs or other web sites. But as users view the resulting blogs, iWebTunes shows software installation popups to attempt to foist extra programs onto users’ computers. These programs likely pay iWebTunes a commission for each resulting installation.

Users have reported unwanted software offered by Blogspot sites since at least September 2004. See a September 15, 2004 blog post complaining of spyware received from iWebTunes. I reported these problems to Google staff last week, including a specific example of an infected site. But so far Google has taken no action to stop the misleading popups on this site or others. A recent Blogspot tech support response admitted the problem, at least generally, but offered no specific approcah or timetable for resolution.

What should Google do? Google already disallows JavaScript within Blogspot.com posts. (Screenshot.) Apparently Google considers embedded JavaScript too risky — too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed. Disallow the JavaScript interface by which iWebTunes gets added to Blogspot pages, so Blogspot pages can no longer trigger misleading JavaScript and ActiveX popups from iWebTunes or elsewhere. Of course some JavaScript code is entirely harmless — like the scripts that embed Google AdSense ads, comments, or polls. But Google should hesitate to permit JavaScript from unknown or known-hostile sources.

So Google is in a natural position to stop this problem. But it’s not the only company that could take action here. As I pointed out earlier this month, VeriSign plays a key role in authorizing ActiveX security warnings like that shown above: The misleading popups are only shown if they carry valid digital certificates, and VeriSign is the primary issuer of such certificates. VeriSign’s existing rules disallow using VeriSign-issued certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” I consider the programs above to be harmful for their addition of unwanted software including toolbars, silent auto-updaters, and systems that track and transmit certain personal information. Especially when combined with the popups’ false claims ("… out of date browser" and "you have to click yes") and especially in light of the other misleading circumstances of installation, I see ample basis to conclude that the popups are malicious. These software installation attempts are therefore arguably prohibited by existing VeriSign rules. But I’ve seen little sign of VeriSign acting to enforce its rules. VeriSign’s code signing site offers no obvious standards or procedures for assessing or reporting violations.

More on Google and Spyware: Sponsored Link Advertising from So-Called Spyware Removers

These misleading Blogspot popups are not Google’s only ties to spyware companies. Eric Howes has posted a warning he calls Google & Anti-Spyware Products: Be Wary of Paid Search Results. Eric and others have put together a list of “rogue/suspect” anti-spyware applications that are at best useless (failing to detect or remove bona fide spyware) and at worst malicious (installing new spyware of their own). Comparing current Google advertisers for a search on "spyware" with Eric’s impressively detailed list yields surprisingly numerous matches.

According to Google’s Software Principles, companies should "keep good company" by avoiding doing business with those who don’t meet ethical standards. Yet Google somehow continues to show ads for — and accept advertising payments from — companies whose supposed anti-spyware tools merely take advantage of users’ spyware worries. Google has made some progress at cleaning up the most dishonorable advertising for anti-spyware searches, but its AdWords advertising remains a poor, unreliable source for consumers to find reputable, high-quality anti-spyware applications.

The News, at My Site and Elsewhere

I’ve recently written about increasingly controversial online schemes — from installations through security holes, to spyware companies deleting each other, to programs that set affiliate cookies to claim commissions they haven’t fairly earned.

These aren’t nice practices, so I suppose it comes as no surprise that someone — perhaps some group or company that doesn’t like what I’m writing — has sought to knock my site offline. For much of Monday and Tuesday, as well as several hours last week, all of benedelman.org was unreachable. My prior web host, Globat, tells me I was the target of the biggest DDoS attack they’ve ever suffered — some 600MB+/second.

The Operations, Analysis, and Research Center at the Internet Systems ConsortiumDDoS attacks continue, but I’m fortunate to be back online — entirely thanks to incredible assistance from Paul Vixie of the Internet Systems Consortium. You may know Paul as the author of Bind or as co-founded of MAPS. (Or just see his Wikipedia entry.) But he’s also just an all-around nice guy and, apparently, a glutton for punishment. Huge DDoS attack? Paul is an expert at tracking online attackers, and he’s not scared. A special thanks to his Operations, Analysis, and Research Center (OARC) for hosting me. In any case, I apologize for my site’s inaccessibility yesterday. I think and hope I’ve now taken steps sufficient to keep the site operational.

Meanwhile, there’s lots of spyware news to share. I now know of fourteen different states contemplating anti-spyware legislation — a near-overwhelming list that is partiucularly worrisome since so many bills are silent on the bad practices used by the companies harming the most computer users. (Indeed, seven of the bills are near-perfect copies of the California bill I and others have criticized as exceptionally ineffective.) At the same time, federal anti-spyware legislation continues moving forward — but in a weak form that I fear does more harm than good.

Then there’s COAST’s dissolution — to my eye, the predictable result of attempting to certify providers of unwanted software when their practices remain deceptive. It’s reassuring to see Webroot standing up for consumers’ control of their PCs, though surprising to see Computer Associates defend COAST’s certification procedure as “valuable.” Now that Webroot and CA have withdrawn from COAST, COAST seems bound to disappear — probably better for users than a COAST that continues certifying programs that sneak onto users’ PCs.

The final surprise of last week’s news: Technology Crossover Ventures joined in a $108 million round of VC funding for Webroot. Wanting to own a piece of Webroot is perfectly understandable. But TCV is also an investor in Claria, a provider of advertising software that Webroot removes. (See also other investors supporting spyware.) How can TCV fund both Claria (making unwanted software) and Webroot (helping users remove such software)? TCV seems aware of the issue: They’ve recently removed Claria from their Companies page. But other sources — Yahoo! Finance, Private Equity Week, Archive.org, and even the Google cache — all confirm that the investment occurred.

How VeriSign Could Stop Drive-By Downloads updated February 22, 2005

VeriSign hates spyware — or so suggests CEO Stratton Sclavos in a recent interview. Even his daughter’s computer got infected with scores of unwanted programs, Sclavos explains, but he says VeriSign is helping to solve this problem. The ironic reality is Sclavos’ daughter’s computer was most likely infected via popups that appeared trustworthy only thanks to certificates issued by VeriSign. If Sclavos is serious about cracking down on spyware, VeriSign can end many deceptive installation practices just by enforcing its existing rules.

Drive-By Installs, Digital Signatures, and VeriSign’s Role

In 2002, Gator introduced ActiveX “drive-by downloads” — popups that attempt to install unwanted software onto a user’s PC as a user browses an unrelated web site. Today, Windows XP Service Pack 2 offers some protection by blocking many drive-by installation attempts. But for users with earlier versions of Windows, who can’t or don’t want to upgrade, these popups remain a major source of unwanted software. (And even SP2 doesn’t stop all drive-bys. For example, SP2 users with Media Player version 9, not the new v10, are still at risk.)

Even though Microsoft can’t (or won’t) fully fix this problem, VeriSign can. Before an ActiveX popup can install software onto a user’s computer, the installer’s “CAB file” must be validated by its digital signature. If the signature is valid, the user’s web browser shows the ActiveX popup, inviting a user to install the specified software. But if the signature is invalid, missing, or revoked, the user doesn’t get the popup and doesn’t risk software installation.

Microsoft has accredited a number of providers to offer these digital certificates. But in practice, almost all certificates are issued by VeriSign, also owner of Thawte, previously the second-largest player in this space. (See a findlaw.com antitrust discussion message noting that, as of February 2000, the two providers jointly held 95% of the digital certificate market.)

Through existing software systems, already built into Internet Explorer and already implemented by VeriSign servers, VeriSign has the ability to revoke any certificate it has previously issued, disabling ActiveX installations that use that certificate. See VeriSign’s Certificate Revocation List server (crl.verisign.com) and Microsoft Certificates documentation of the revocation system.

I suggest that VeriSign can and should use its existing certificate revocation system to disable those certificates issued or used in violation of applicable VeriSign rules.

Examples of the Problem, and A Specific Proposal

Consider the three misleading ActiveX installers shown below. The first gives an invalid company name (“click yes to continue”). The second gives a misleading/missing product name (“virus free”). The third was shown repeatedly, between popups that falsely claimed “In order to view this site, you must click YES.” Click on each inset image to see a full-size, uncropped version.

An ActiveX installer with a misleading company name, purportedly  "click yes to continue." An ActiveX installer with a misleading product name ("VIRUS FREE").

Each of these misleading installations is contrary to VeriSign contract, contrary to VeriSign’s duty to its users, and contrary to VeriSign’s many promises of trustworthiness. In the first installer, VeriSign affirmatively certified the “click yes to continue” company name — although it seems that there exists no company by that name, and although that company name is facially misleading as to the purpose of the installation prompt. In the second and third examples, VeriSign certified companies that subsequently used VeriSign’s certification as a necessary step in deceiving users as to the function of and (alleged) need for their programs.

Given VeriSign’s claims (such as its old motto, “the value of trust”), VeriSign should want to put an end to these practices. When VeriSign certificates are issued wrongfully (as in the first example) or are used deceptively (as in the second and third), VeriSign should take action to protect users from being tricked. In particular, when an application offers a facially invalid and misleading company name, VeriSign should refuse to issue the requested certificate. When an applicant violates basic standards of truth-telling and fair dealing, VeriSign should revoke any certificates previously issued to that applicant.

Why VeriSign Should Get Involved

VeriSign’s intervention would be entirely consistent with its existing contracts with certificate recipients. For example, section 11.2 (certificate buyer’s representations) requires a certificate buyer to represent that it has provided accurate information — including an accurate company name. The purported company name “click yes to continue” surely violates the accuracy requirement, meaning the certificate supporting the first popup above is prohibited under VeriSign rules.

Furthermore, VeriSign’s section 4 (“Use Restrictions”) prohibits using VeriSign certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” The dialers, toolbars, tracking systems, and advertising systems provided by the second and third popups are indisputably inconvenient for users. I claim the resulting software is also “malicious” and/or “harmful” in that it tracks users’ personal information, slows users’ computers, shows extra ads, and/or accrues long-distance or 900 number access costs. So these installation prompts also violate applicable VeriSign rules.

VeriSign’s contracts grant VeriSign the power to take action. Section 5 explains that “VeriSign in its sole discretion retains the right to revoke [certificates] for [certificate buyers’] failure to perform [their contractual] obligations.” So VeriSign has ample contractual basis to revoke the misleading certificates.

Contractual provisions notwithstanding, I anticipate certain objections to my proposal. The obvious concerns, and my responses —

  • It’s too hard and too costly for VeriSign to find the wrongdoers. But VeriSign is a huge company, and a market leader in online security, infrastructure, and trust. Also, confirming the legitimacy of certificate recipients is exactly what VeriSign is supposed to be doing in the course of its certificate issuance. VeriSign charges $200 to $600 per certificate issued. At present it’s unclear what verification VeriSign performs — what work VeriSign does to earn $200+ for each certificate issued. The procedures I’m proposing might require a few new employees and some ongoing effort. But for a company precisely engaged in the business of certifying others’ practices, this testing is appropriate. Even if enforcement is costly, VeriSign stands to lose much more if it dilutes its brand and “trust” promise by failing to stop deceptive installations occurring under the guise of VeriSign certificates.
  • There are some difficult border cases. I agree that not all ActiveX installers are as outrageous as those shown above. For example, Claria’s installers lack the most outrageous of the deceptive practices above — they give Claria’s true company name, and they don’t explicitly claim that installation is required. Yet Claria’s installers still have major deficiencies. For example, Claria’s installers fail to admit that Claria software will not just “monitor” user information but also collect and store such data (in what is reportedly the seventh largest database in world), and Claria’s software repeatedly tries to install even if users decline when initially asked. What should VeriSign do with a case like Claria? I consider Claria’s installation practices deceptive and unethical, but I’m not sure it’s VeriSign’s role to make Claria stop. However, the existence of some hard decisions doesn’t mean VeriSign shouldn’t at least address the easy cases.
  • XP SP2 already solved the ActiveX problem, so this is irrelevant. I disagree. Tens of millions of users still run old versions of Windows. Some users can’t afford the cost of an upgrade (new software plus, for many users, faster hardware). Others cannot upgrade due to corporate policies or compatibility concerns. Then there are problems for which even SP2 doesn’t offer full protection: WindowsMedia files can still open ActiveX popups and installer decoys that try to trick users into authorizing installations.

VeriSign’s intervention would make a big difference. VeriSign could stop many misleading software installation practices, including those shown above, and block what remains a top method of sneaking onto users’ PCs. Unlike spammers who switch from one server to another, spyware distributors can’t just apply for scores of new digital certificates, because each application entails out-of-pocket costs.

Plans for an Enforcement Procedure

Enforcement of invalid company names would be particularly easy since VeriSign already has on hand the purported company names of all its certificate recipients. Entries like “click yes to continue” stick out as facially invalid. Simply reading through the list of purported company names should identify wrongdoers like “click yes to continue” — applicants whose certificates should be investigated or disabled.

It’s admittedly somewhat harder for VeriSign to stop certain other deceptive practices that use VeriSign-issued certificates. While VeriSign knows the company names associated with all its certificates, VeriSign’s systems apparently don’t currently track the purported product names signed using VeriSign certificates. Furthermore, VeriSign receives no special warning when a certificate recipient uses tricky JavaScript to repeatedly display an installation attempt or to intersperse displays with “you must click yes” (or similar) popups.

But VeriSign could at least establish a formal complaint and investigation procedure to accept allegations of violations of applicable contracts. Other VeriSign departments offer web forms by which consumers can report abuse. (See e.g. the SSL Seal Report Misuse form.) Yet VeriSign’s Code Signing page lacks any such function, as if wrongdoing were somehow impossible here. Meanwhile, those with complaints have nowhere to send them. Indeed, I’ve reviewed complaints from Richard Smith and others, flagging both wrongly-issued certificates and the need for a complaint procedure, and raising these issues as early as January 2000.

Of course, beyond receiving and investigating consumer complaints, VeriSign could also run tests on its own — affirmatively seeking out bad actors who use VeriSign certificates contrary to VeriSign’s rules.

Update: Reponses from VeriSign and eWeek’s Larry Seltzer

After I published the article above, I received two responses from VeriSign staff. Phillip Hallam-Baker, VeriSign’s Chief Scientist, wrote to me on February 4 (the day after I posted my article) to say that “Click yes to continue was disabled yesterday.” Staff from VeriSign’s “Certificate Practices” department subsequently wrote to discuss current practices and to ask what more VeriSign could do here. They all seemed pretty reasonable — willing to admit that VeriSign’s practices could be better, and interested in reviewing my findings.

In contrast, I was struck by the response from eWeek‘s Larry Seltzer. Larry apparently spoke with VeriSign PR staff at some length, and he liberally quotes VeriSign staff defending having issued a certificate to “Click Yes to Continue.” Saying that I “may have jumped to a conclusion,” Larry seems to credit VeriSign’s claim that the bogus certificate problem was “basically all over” as soon as (or even before) I posted my article. I emphatically disagree. There are hundreds (thousands?) of certificates that continue to break VeriSign rules — for example, claiming to be security updates when they are not, or claiming “you must press yes” when they’re not actually required. (See also VeriSign-issued certs supporting misleading popups shown at Google Blogspot.) VeriSign may prefer not to enforce its own rules, prohibiting “distribut[ing] malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” And Seltzer may think VeriSign shouldn’t have such rules. But the rules do exist — VeriSign itself wrote them! — and the rule violations are clear and ongoing. That VeriSign revoked a few egregious certificates after I posted my article doesn’t mean VeriSign’s practices are up to par otherwise. What about all the other certs that break the rules?

Finally, Seltzer claims that VeriSign told me Click Yes to Continue is a valid company name. Nope. First, the premise is wrong; that’s just not a valid company name, because it’s facially misleading. Second, VeriSign never told me any such thing: I have carefully reviewed my email records, and no VeriSign staff person made any such statement. (To the contrary, see the Hallam-Baker quote above, admitting that Click Yes was in violation and was disabled.) Maybe VeriSign should spend more time investigating its rule violations, and less time trying to smear those who criticize its poor enforcement record.

What Hope for Federal Anti-Spyware Legislation? updated January 31, 2005

Will the new year bring effective, tough federal anti-spyware legislation? Congress’s attempt to block spam, the CAN-Spam Act, was by most reports unsuccessful. But I think Congress could do better with spyware. Spammers tend to be small, fly-by-night operations — hard for lawyers and courts to find and stop. In contrast, many spyware companies have fancy headquarters and major investors. (See my recently-released list.)

So tough anti-spyware legislation could find and stop the biggest spyware offenders. Unfortunately, from what I’ve seen so far, any new anti-spyware law will be surprisingly lax. The major effort so far is Rep. Mary Bono‘s recently-reintroduced SPY Act (H.R.29). Her intentions are surely good, and Reuters has called her bill “tough.” But as I read the bill, it’s riddled with loopholes and almost certain to be ineffective. (Ed Felten offered this unhopeful assessment in his predictions for technology policy in 2005, and Ed Foster has been saying so since June.)

The Sec.2. “Deceptive Acts” Prohibition — and Its Loopholes

Bono’s bill begins with eighteen specific practices to be prohibited. From taking control of a computer and using it to send “unsolicited information” (e.g. junk email) (Sec.2.(a)(1)(A)), to using a keystroke logger ((a)(3)), to changing home pages ((a)(2)(A)) and bookmarks ((a)(2)(C)), the bill prohibits a veritable laundry list of controversial activities.

But Sec.2.(a) covers only actions that are “deceptive.” Indeed, many of the section’s prohibitions wouldn’t make sense without an exception for legitimate programs. Certainly users should be able to set new home pages if they choose, and when users install new programs, those programs should be able to add entries to browsers’ Favorites menus. Yet these same actions are unwanted when performed by spyware programs. Unfortunately, the bill offers no definition or clarification as to how to tell the difference — as to what constitutes a deceptive action. Is an action “deceptive” when it is disclosed only in fine print in a 25-page license? When the action is disclosed in a license users are never actually shown, only offered via an optional link? When the action is prominently disclosed, but in an installation performed by a site targeting children? Surprisingly, the bill is entirely silent on these important questions of what exactly Sec.2. does or does not prohibit. Instead the bill merely leaves these matters to FTC “guidance.”

Pending such FTC rules, the Sec.2. requirements will be largely ineffective: Spyware companies will claim that users consented to their schemes when users pressed “yes” in installation dialog boxes — no matter how lengthy, confusing, misleading, or poorly-presented the on-screen disclosures. At best, the bill asks the FTC to address the problems Sec.2. identifies — hardly the “tough” regulation Reuters reported. The FTC’s prior “consent” comments suggest that the FTC would consider a “yes” press as an absolute bar against a Sec.2. complaint. Since so many spyware programs install by tricking users into granting at least some form of supposed consent, this FTC interpretation would eviscerate Sec.2.

Sec.2. is also puzzling because many, if not most, of the specified practices are already prohibited by existing law. For example, Sec.2.(a)(5) prohibits “Inducing the owner or authorized user to install or execute computer software by misrepresenting the identity or authority of the person or entity providing the computer software to the owner or user” — which sounds like common law fraud, and is therefore already illegal. Similarly, Sec.2.(a)(8)’s prohibition on removing security software echoes the existing Computer Fraud and Abuse Act, which prohibits “exceed[ing] authorized access” to a computer.

Perhaps Sec.2. is valuable for providing a consolidated listing of prohibited practices pertaining to unwanted software, higher penalties for such practices, and renewed calls for enforcement. But the underlying unauthorized interference with users’ computers is already illegal. What Sec.2. could do — but doesn’t — is tighten notions of consent so that spyware companies can’t claim authorization, then escape liability, where users didn’t intend to grant authorization.

The Sec.3. Notice Requirements, and How Spyware Companies Can Abuse Them

The bill’s Sec.3.(c) gives some regulation of notice and consent as to programs that collect personal information, or that track online activities and show advertising. But the bill is exceptionally permissive, seeming to permit many of the tricks spyware companies have long used to persuade users to accept their software.

Sec.3. sets out four basic requirements for notice and consent:

  1. Notice must be “clearly distinguish[ed]” from other on-screen text. ((c)(1)(A))
  2. Notice must include text “substantially similar” to “This program will collect and transmit information about you” or “This program will collect information about Web pages you access and will use that information to display advertising on your computer.” ((c)(1)(B))
  3. Notice must remain on screen until the user grants or denies consent. ((c)(1)(C),(E))
  4. Notice must provide an option giving “clear” additional information about the type of information to be collected and the purpose of such collection. ((c)(1)(D))

Taken in the abstract, these sound like reasonable requirements. But many providers of unwanted software already largely satisfy these requirements, while nonetheless installing their software in ways that confuse users and in ways that don’t give users a full sense of what the programs will actually do.

Consider, for example, the Grokster installation procedure.. By my count, Grokster shows a 120-page Claria license followed by a 278-page license for half a dozen other programs. These licenses differ somewhat from the specific text in the bill’s section (c)(1)(B), but the bill’s “substantially similar” provision means the existing text may be sufficient. And although Grokster ultimately installs at least fifteen different unwanted programs, it need only show a Sec.3. disclosure once: The fact that Claria’s disclosure (perhaps) satisfies Sec.3.’s requirements seems to clear the way, under the plain language of Sec.3., for Grokster to install whatever other programs it wants, without so much as telling users the names of the programs to be installed.

A Claria drive-by download prompt -- allowing the user to press 'Yes' and have software installed, without first seeing Claria's license agreement.Even “drive-by downloads” might be taken to be permitted under the bill. Recall the ActiveX “security warnings” shown by Windows versions prior to XP Service Pack 2 — pop-ups like that shown at right, appearing when users browse unrelated web sites, but installing software on users’ computers with a single press of a “yes” button. (These practices are all the more confusing because some legitimate programs, like Macromedia Flash, use the same dialog box to install their latest versions.) Turning to the specific requirements of the bill as applied to these installation attempts:

  • The use of a hyperlink, with resulting blue highlighting and underlining, could be claimed to satisfy the “clearly distinguish” requirement of (c)(1)(A).
  • Claria’s existing disclosure could be claimed to be “substantially similar” to the required (c)(1)(B) statement. Claria’s existing “display … GAIN-branded ads” disclosure could be claimed to be similar to the bill’s “display advertising on your computer” model text. Claria’s “based on websites you view” might be claimed to be similar to the bill’s “collect information about Web pages you access.”
  • The installation dialog box remains on screen until the user makes a choice, seemingly satisfying the requirements in (c)(1)(E).
  • Claria’s hyperlink provides more information, seemingly responsive to the requirement in (c)(1)(D), though Claria’s lengthy text might or might not satisfy the bill’s “clear description” requirement.

Of course, some practices are so egregious that even the proposed bill would prohibit them. For example, when 180solutions software is installed through security holes, users get no notice whatsoever and have no opportunity at all to deny consent — violating the Sec.3. requirements. But Claria’s drive-by downloads are also arguably unacceptable. Why should Congress endorse software installed via popups which appear as users browse totally unrelated content; which install software with just a single click of “yes”; and which look so similar to popups installing software that users actually need (like Macromedia Flash)?

I see at least three specific problems with Sec.3.:

  • Allowing disclosures to be written in “substantially similar” language — inviting spyware providers to describe their products in marketing euphemisms, deterring users from making a impartial choice based on unbiased facts and plain language.
  • Allowing installation of many unwanted programs after only a single disclosure — without telling users about the names or even the quantity of programs to be installed.
  • Giving software providers carte blanche to repurpose users’ computers for software providers’ benefit, after requiring only a one-sentence pro forma disclosure.

Weak enforcement

Suppose some bad actor violated the bill’s requirements. How will they be held accountable? Sec.4. speaks to enforcement — unfortunately giving enforcement authority only to the FTC.

Experience shows the FTC to be slow to pursue spyware perpetrators: The FTC has filed only a single anti-spyware case to date, and has failed to act on (among scores of other problematic activities) the installation of dozens of programs through security holes, even when documented in research posted months ago (by me and others). If the FTC won’t rigorously enforce Bono’s bill, then the bill will be dead letter — on the books, but unsuccessful in constraining spyware companies’ behavior.

A better approach would encourage enforcement by parties with a strong incentive to act. State attorneys general face public election which inspires aggressive pro-consumer litigation. Private parties also have clear incentives to sue, since they could seek to recover damages from spyware companies operating in violation of the bill’s requirements. I’d like to see the enforcement clause broadened to grant enforcement powers to those with real incentives to identify and pursue wrongdoers.

Alternative legislation

What would tough anti-spyware legislation look like? One easy addition is to specifically prohibit drive-bys. Congress should not allow the installation, as users merely browse unrelated web pages, of software that tracks online activities and shows ads. Users should only be offered such software at a time and in a manner in which they can meaningfully evaluate the agreement. They should have to seek out such software to be installed on their computer; it should not be not be foisted upon them. Neither should users suffer repeat installation attempts — like reappearing “You must press ‘Yes’ to continue” popups that harass users until they agree. Saying ‘no’ once should be enough, but nowhere does the bill prevent spyware providers from asking over and over.

Tough anti-spyware legislation would also establish special barriers against practices known to be particularly detrimental to users’ PCs. Installing a dozen or more spyware programs cripples even a fast computer, and tough anti-spyware legislation would, at the least, require special disclosures when a requested program intends to install multiple other programs. I’d expect at least a listing of all the specific programs to be installed, with a one-sentence description of the effects and purported benefits of each.

Congress should also speak to the uses of affiliates to perform software installations. Companies like 180solutions have embraced affiliate installations — offering web-based signup procedures (not to mention spam email campaigns) to find “partners” to install 180 software in exchange for commissions of $0.07 per installation. Later, when 180 software is installed without notice or consent, 180 claims “deceptive distribution” — as if 180 were surprised that their unaccountable affiliates didn’t follow the rules. A tough anti-spyware law should decisively close this potential loophole. Where software developers are lax in their supervision of affiliates, and especially where affiliates’ bad practices continue for months on end, the software developers should be held accountable — legally and financially — for the prohibited actions of their affiliate business partners.

As discussed above, the bill lacks meaningful enforcement provisions. Real compliance almost certainly requires permitting enforcement by state attorney generals and private parties. A truly tough anti-spyware bill should also hold advertisers accountable for their decisions to contract with, support, and fund spyware companies. If an advertiser hires a spyware company to show its ads through software wrongly installed on users’ PCs, perhaps that advertiser should pay a share of the costs of repairing users’ computers.

Rather than helping the spyware problem, Bono’s weak bill could even make things worse. If passed, the bill will fill the space — making further federal anti-spyware legislation unlikely, at least in the short run. Also, the bill specifically supercedes state laws which might be tougher — so if Bono’s bill passes, no state can set higher requirements. (In a recent hearing, Congressman Gillmor raised this same concern.) Finally, passing a bill that rubber-stamps spyware firms’ controversial practices serves only to make those companies stronger. Claria publicly supported California’s toothless anti-spyware bill. Since Bono’s bill will do equally little to curb Claria’s practices, Claria will surely support this legislation too.

But all is not lost. With half a dozen line edits, Bono’s bill could be significantly better. And the bill is only a few hours of editing away from prohibiting spyware companies’ major deceptive practices without affecting legitimate practices used by mainstream companies. Here’s hoping for a bill that truly deserves the “tough” moniker.

180 Talks a Big Talk, but Doesn’t Deliver updated February 4, 2005

The anti-spyware community has been abuzz all weekend with the news of spyware company 180solutions joining the Consortium of Anti-Spyware Technology (COAST). From the 180solutions press release:

“180solutions, a provider of search marketing solutions, today announced it has become a developer member of … COAST. … By working with COAST and complying with its strict Code of Ethics, standards and guidelines, 180solutions aligns itself with the organization’s governing companies, … PestPatrol, … Webroot. … “180solutions has passed a lengthy and rigorous review process demonstrating their commitment to develop and distribute spyware-free applications,” said Trey Barnes, executive director of COAST.”

Some specific worries:

Substantive conflict of commitment

COAST members PestPatrol and Webroot currently detect and remove 180 software. So these companies are (rightly!) telling their users that 180solutions software should be removed from users’ computers.

At the same time, according to 180’s press release, 180solutions is “releasing versions of its applications that have been reviewed and evaluated by COAST.” This press release, COAST’s “review” of 180 software, and COAST’s acceptance of 180 into its consortium can only be taken to constitute a COAST endorsement of 180. That’s a clear conflict with COAST members simultaneously recommending that users remove 180 software.

Then there’s the conflict of interest that inevitably arises whenever an anti-spyware company declares an alleged spyware provider to be legitimate. Users buying a vendor’s anti-spyware software think they’re buying that vendor’s best efforts to identify and remove software users don’t want. When the vendor instead accepts funds from a software provider, one making the kind of software that the vendor is supposed to be removing, users can’t help but wonder whose interests the vendor has in mind. To my mind, the better strategy is for anti-spyware vendors to refuse partnerships with any company making software that might colorably be claimed to be spyware. (See Xblock’s statement of policy.)

I don’t want to overstate the problem. So far, PestPatrol and Webroot still detect and remove 180 software. 180 isn’t listed on COAST’s Members page. And COAST members don’t directly receive the money 180 pays COAST.

But the latent problems remains: For a fee, COAST is certifying controversial providers of allegedly-unwanted software, dramatically complicating the role and duties of COAST and its members. COAST staff are providing favorable quotes in 180 press releases. Who can users trust?

180solutions installation practices are outrageous and unethical

180’s endorsement by COAST is particularly puzzling and particularly worrisome due to 180’s many bad business practices. Indeed, in my testing, 180’s installation practices remain among the worst in the industry. The details:

I have personally observed (and preserved in video recordings) more than two dozen instances of 180 software installed through security holes. (Example video.) Just yesterday, I browsed the Innovations of Wrestling site (iowrestling.com, proceed at your own risk), where viewing the site’s privacy policy invoked a security exploit installing more than a dozen unwanted programs, 180solutions software included. (Note that iowrestling’s installations are at least partially random, so it’s hard to replicate this result. But I kept a video and packet log of my findings.)

Even when 180 installers do request consent to install, the disclosure is often quite misleading. For example, I previously documented Kiwi Alpha installing 180, first mentioning 180 at page 16 of a 54-page license agreement. With 180’s installation warning buried in such a long text, ordinary users are unlikely to learn that Kiwi gives them 180. Certainly users don’t grant knowing consent to the installation.

180’s web site claims “no hiding,” but 180 uses a variety of tricks to make its software harder to find and remove. 180 sometimes uses randomized filenames which make its files unusually difficult to locate. 180 also installs itself into multiple directories — sometimes c:Program Files180solutions (or similar), but sometimes into the root of c:Program Files and sometimes directly into a user’s Windows directory. If uses do manage to find and delete some 180 files, another 180 program often pops up to request reinstallation. If these tricks don’t constitute hiding, I don’t know what does.

180’s controversial installation practices are not mere anomalies. I’ve observed these, and others like them, for months on end. Even 180solutions’ director of marketing sees the problem. See Seattle Post-Intelligencer article, reporting his admission that “n-Case could get bundled with other free software programs without the company’s knowledge [which] could lead to the n-Case software fastening to individual’s computers without their knowledge.”

How did 180 get into this mess? It seems 180 hasn’t been careful in choosing who they partner with. In fact, they recruit distributors (as well as advertisers) by unsolicited commercial email. See 20+ examples.

Interestingly, in its recent press release, 180 does not claim to have stopped these controversial practices. If 180 did make such a claim, I’d be able to disprove it easily — there are so many sources of 180 software installed without notice and consent. Instead, 180 claims only that they are working on a “transition” to improved business practices.

But this isn’t the first time 180 has promised to clean up its act. In March 2004, 180’s CEO claimed 180’s “Zango” product — then the new replacement for the older n-CASE — would give users more information before installation. In an April interview, he attributed to the old n-CASE product “certain users … who are not sure where or how they got our software,” but said “the Zango product … is a means to improve that.” On at least these two occasions, 180 has pledged to improve its practices. Nearly a year later, 180 software often still gets installed without notice or consent. So we’re still waiting for the promised improvements. Meanwhile, 180 continues to benefit profit from its millions of ill-gotten installations.

180solutions advertising practices are outrageous and unethical

Beyond controversial installation methods, 180 also deserves criticism for its intrusive and allegedly-anticompetitive advertising practices.

180 covering Delta.com with Hawaiian Airlines web site180 covering Delta.com with Hawaiian Airlines web site

When 180 covers a web site with one of its competitors, 180 doesn’t just show a small popup ad (like, say, Claria — not that Claria’s practices deserve praise). Instead, 180 opens a new web browser showing the competitor’s site, generally covering substantially all of the targeted web site. A user who wants to stick with the site he had previously requested must affirmatively close the new window — taking an extra step due to 180’s intervention. What would we think of a telephone company that connects a user to Gateway when the user dials 1-800-Dell-4-Me, unless the user then presses some extra key to return to what he had requested initially? The real-world analogy makes it almost too easy to assess 180’s legitimacy: No telephone company could get away with such a scam, yet 180’s advertising practices have gone largely unchallenged.

Even more problematic are 180 ads targeted at competitors’ check-out pages. Sometimes 180 lets a user browse a merchant’s web site uninterrupted, but when the user reaches the page requesting order confirmation, 180 then covers the merchant’s site with a competitor — interrupting the user’s purchase. Again, the real-world analogy is straightforward. Suppose one retailer sent its sales employees into a competitor’s store, to invite users to take their business elsewhere as they waited in line to reach the checkout counter. The intruding employees would be arrested as trespassers.

Then there are the thousands of 180 ads that include affiliate codes. Some of 180’s ads cover a web site with a competitor reached through an affiliate link. Via these ads, companies find themselves promoted by 180, and find themselves directly or indirectly paying commissions to 180 — all despite never requesting that 180 advertise or promote them.

Even worse are the 180 ads that target a merchant with its own affiliate links. Here, merchants end up paying affiliate commissions where they’re not otherwise due. For example, when users reach merchants’ sites by clicking through non-affiliate links or by typing merchants’ domain names, 180 nonetheless intercedes by opening affiliate links to merchants’ sites. Whether shown in double windows, hidden windows, or on-screen decoys, 180’s affiliate links make merchants’ commission-tracking systems think resulting purchases resulted from 180’s promotional efforts. Unless merchants figure out that they’re being cheated — being asked to pay commissions not fairly earned — 180 and its advertisers receive commission payments for users’ purchases. (Details; example.)

There’s plenty more to criticize about 180. To this day, installations on zango.com let users install 180 software without so much as seeing 180’s license agreement. Even 180’s current uninstall procedures give far more information than 180 provides prior to installation. And Andrew Clover reported 180 code that deletes competitors’ programs from users’ disks.

COAST’s credibility on the line

180’s claims of planned improvement are essentially unverifiable. Since 180 admits to a mix of permissible and impermissible installations, its claims of improvement cannot be falsified by critiquing current behavior. Instead, whenever I or others show 180 software installed without proper notice and consent, 180 can say this is just a remnant of prior practices not yet cleaned up in “transition.” By the plain text of 180’s press release, we’ll have to wait at least 90 days to prove that 180 isn’t living up to its promises to COAST and to users.

Why would COAST sign onto this bargain? MediaPost reports 180 paying COST a membership fee as large as $10,000 per year, so that gives one clear explanation. Also, notwithstanding participation by PestPatrol and Webroot, COAST’s past is hardly uncontroversial. In 2003, Lavasoft (makers of Ad-Aware) decided to leave COAST, complaining that COAST’s focus on “revenue generation … reflect[s] badly on the entire anti-trackware industry.” Similarly, Spybot refused to join COAST due to participation by companies that were, in Spybot’s view, unethical.

COAST’s credibility is on the line. I don’t see endorsement of software providers as an appropriate part of COAST’s mission. But even if such work were appropriate, 180 deserves no such praise — its history of outrageous practices and its continued use of such practices mean it should be criticized, not granted an award or endorsement.

Update (February 4): Reporting “concern” at COAST’s certification program, Webroot resigned from COAST.

Update (February 7): Computer Associates (makers of PestPatrol) also resigned from COAST. However, a CA spokesperson defended COAST’s endorsement procedure, calling such endorsements “valuable.”

Disclosure: I serve as a consultant to certain merchants concerned about fraudulent activities by 180solutions and its advertisers. I have advised certain attorneys and merchants concerned about 180solutions activities and practices.