Debunking Zango’s "Content Economy" updated May 29, 2008

Zango often touts its so-called “content economy” — purportedly providing users access to media in exchange for accepting Zango’s popup ads. After four years of debunking Zango’s claims, I’ve come to suspect the worst — and my investigations of Zango’s media offerings confirm that Zango’s media library is nothing to celebrate. This article reports the results of my recent examinations. I show:

  • Widespread copyrighted video content presented without any indication of license from the corresponding rights-holders. Details.
  • Widespread sexually-explicit material, including prominent explicit material nowhere labeled as such. Details.
  • An audio library consisting solely of prank phone calls to celebrities (without the “music” Zango promises). Details.
  • Widespread material users can get elsewhere for free, without any popups or other detriments. Details.
  • Widespread material that content creators never asked to have included in any Zango library. Details.

Widespread copyrighted video content presented without any indication of license from the corresponding rights-holders

Many of the videos in of Zango’s video library are the work of major movie studios, TV networks, and other third parties that own and assert copyright in their respective works. These videos consistently appear without any statement of authorization (e.g. “used with permission”) or even the ordinary copyright notice. I therefore conclude that Zango’s site features these videos without authorization from the corresponding rights-holders.

Zango Offers Daily Show with Guest Chris Rock Zango Offers Daily Show w/ Chris Rock

Zango Offers 'Borat' Zango Offers Borat

For many videos in Zango’s library, it is trivially easy to determine the video’s source. For example, text in the corner of Zango’s “Ashley Judd Nude Photoshoot” indicates the video comes from “Norma Jean & Marilyn” (1996, released on DVD by HBO Home Video). The title of Zango’s “Wild Things” suggests the video comes from the 2004 Sony Pictures movie by the same name; watching the video confirms the match. Zango’s “Girls Next Door Nude Compilation” begins with the distinctive Playboy logo. Zango’s “Chris Rock on the Daily Show” reproduces a video clip from Comedy Central’s Daily Show. It’s easy to find scores of other examples plainly labeled as well-known copyrighted works.

Other videos in Zango’s library are harder to identify — at least those without extensive entertainment industry experience. For example, I cannot easily determine the specific movie that included the scenes shown in Zango’s “Paris Hilton Striptease” or “Rachel Hunter in the Bathtub.” But the clips leave little doubt that they were filmed professionally and that the respective studios hold copyright in the resulting works. Similarly, I cannot easily determine the specific source of Zango’s “Branding Beat Down.” However, every frame of the video bears the distinctive Fox logo — indicating that the video originated with the Fox Broadcasting Company.

As to at least eight of the files in Zango’s library, I have specifically confirmed that Zango’s reproduction occurs without authorization from the underlying rights-holders. (Details below.) As to selected other files, I have sent inquiries to the corresponding rights-holders. I will update this page if I confirm whether Zango has properly licensed the content at issue.

Infringing videos are remarkably prominent in Zango’s video library. For example, as of May 27, Zango’s home page linked to “Borats First Trip To An American Gym” (s.i.c.). This clip was listed as the second most popular video in Zango’s entire content library, and it was placed in the top-center of Zango’s main www.zango.com web page, “above the fold” (within the portion of the page visible without using scroll bars). Yet the title of the video plainly indicates that the video contains the copyrighted work of others. Moreover, the video features the “DIVX Video” logo, indicating that DivX software was used to extract (“rip”) the video from a DVD. No authorized reproduction would be provided with a DivX overlay, so the presence of the DivX marker confirms that this video was reproduced without permission from the creators of Borat.

Other online video sites have been the target of major copyright litigation. For example, Viacom last year sued Google, alleging that “YouTube appropriates the value of creative content on a massive scale for YouTube’s benefit without payment or license.” In defense, Google points out that YouTube receives videos from independent — potentially granting Google immunity for these infringements due to the Digital Millennium Copyright Act‘s safe harbor for infringements occurring at the direction of users (17 USC 512(c)(1)).

Unlike YouTube, Zango’s video library offers no prominent “upload” function. Some of Zango’s videos arrive through the Revver video-sharing service (discussed below), probably originating with a variety of independent users. But many of the copyrighted videos Zango offers reside on Zango’s servers, not on Revver servers. (For example, all eight of the sexually-explicit videos linked in the first paragraph of the next section are hosted on Zango servers.) Because Zango offers no “upload” function by which ordinary users could have put videos onto Zango’s site, it therefore appears that these videos were provided by Zango or its agents, not by independent users. If so, Zango will not find protection in the DMCA’s safe harbor for infringements caused by users.

Moreover, even if Zango’s videos were provided by independent users, the circumstances of the reproduction seem to render Zango ineligible for the DMCA safe harbor. For one, the safe harbor requires that Zango lack actual knowledge of the infringements. But the infringing videos were obvious and self-evident, not just from their titles and contents, but also from their prevalence in featured results Zango chose to highlight. In addition, the safe harbor requires that Zango not receive a financial benefit directly attributable to the infringements. But Zango used these videos to induce users to download its popup-generating software, a financial benefit that is directly attributable to the infringing videos. (Consider the case of a user who installs Zango in response to solicitation offering a specific copyrighted video clip. Example.) Furthermore, Zango has the right and ability to control the infringement (e.g. by removing the infringing videos). Because Zango’s financial benefit can be directly tracked to a specific infringement, and because Zango has the right and ability to prevent such infringement, Zango seems to fail the test in 17 USC 512(c)(1)(B).

Zango may claim that its videos are fair use. The Copyright Act sets out a four-factor test for determining whether reproduction of a copyrighted work is permissible, despite lack of authorization from the rights-holder. The fair use test calls for considering 1) the purpose and character of the use (e.g. whether commercial or nonprofit), 2) the nature of the copyrighted work, 3) the amount and substantiality of the portion used, and 4) the effect of the use upon the potential market for the work. Factor one is easy: Zango’s use is clearly commercial, which tends to cut against a finding of fair use. Zango might claim that its presentation of excerpts (rather than entire movies) supports a finding of fair use under the third test — but Zango exactly chooses what it views as highlights (e.g. the explicit portions of full-length movies), yielding clips with a greater than usual effect on the potential market for the underlying works. In short, a fair use defense is at best uncertain.

Wide-scale copyright infringement could expose Zango to substantial liability. The Copyright Act provides for statutory damages of “not less than $750” per violation. My examination indicates Zango is reproducing (at least) hundreds of copyrighted videos without any statement of authorization. Furthermore, such videos have surely been downloaded repeatedly — giving rise to potential statutory damages that could easily reach seven digits or more.

Widespread sexually-explicit material, including prominent explicit material nowhere labeled as such

Celebrity Videos Featured by Zango Celebrity Videos Featured by Zango

Prominent Video - Explicit but Unlabeled
Prominent Video – Explicit but Unlabeled

Browse Zango’s video library, and it’s easy to find sexually-explicit video. As shown in the first inset image at right, the bottom-right corner of each Zango “Browse” page gives a list of celebrities — each of them female, each featured in various states of undress. Among other explicit videos of these celebrities, Zango offers “Britney Spears See Thru“, “Britney Spears Black Dress Upskirt“, “Paris Hilton Striptease“, “Rachel Hunter in the Bathtub“, “Jessica Alba’s Chest and You“, “Jessica Simpson Nipple Slip“, “Anna Kournikova Panties Oops“, and “Angelina Jolie Sex Scene.”

The titles and descriptions of many of Zango’s videos suggest that their subjects were unwilling participants. See e.g. “nipple slip” and “upskirt” above, as well as additional videos like Zango’s “Arab wife’s sexy dance secretly taped” and Zango’s “Girlfriend Finds Hidden Camera.”

Through its placement and labeling of sexually-explicit videos, Zango creates a substantial risk that users will receive explicit materials they did not seek. For example, on May 24, I clicked “Browse” to flip through Zango’s content library. Using Zango’s default sort, the third video was entitled “the pool” with comment “havin fun in the pool” (s.i.c.). (Screenshot of the link from within Zango’s video library.) This title and comment give no indication that the resulting material is explicit. But clicking the “Watch” button immediately yields a large video showing two male adults swimming nude, then exiting the pool (entirely disrobed). As best I can tell, Zango did nothing to alert users to this explicit material, nor does Zango prevent (or even discourage) children from viewing such material.

Zango’s May 24 “the pool” video was not a mere anomaly. The same video remained linked in the same way in my tests on May 25 and 26, and on portions of May 27.

In litigation documents, Zango last week claimed that it never distributes explicit material to those do not want it. In particular, Zango argues: “Zango never sends unwanted links to pornography web sites” and “Zango only directs adult-oriented advertisements to a user after that user, by his own behavior, has demonstrated interest in such content.” I disagree. The preceding paragraphs offer a counterexample — Zango prominently providing a link to sexually-explicit materials, and provideing that links to users who never demonstrated interest in any such content. Zango may claim that these links tout videos — not a “web site” as in the first quoted sentence. Alternatively, Zango may claim that the links are not “advertisements” — hence beyond a strict reading of the second quoted sentence. But the underlying contradiction remains: Zango says it doesn’t provide pornography except when users seek it; yet in fact Zango does sometimes deliver explicit materials unrequested.

That Zango funds and distributes sexually-explicit materials is well-known. See e.g. the Sunbelt Blog’s February 2008 conclusion that “80% of [Zango’s] business comes from Seekmo, the porn side of its business.” See also Sunbelt’s off-hand November 2006 remark that “hardcore porno videos [are] funded through Zango Seekmo installs.”

But the scope of explicit materials within Zango’s video library is quite striking. Consider the first page of Zango’s library listings for Angeline Jolie. Beyond the “sex scene” video linked above, the listings also include “Angelina Jolie Taking a Bath”, “Angelina Jolie Under the Sheets”, “Angelina Jolie in Bra & Panties”, “A fairly long nude scene staring Angelina Jolie” (s.i.c.), “Angeline Jolie Getting It On”, “Angelina Jolie Nip Slip”, “Angelina Jolie Hardcore”, and “Angelina Jolie Dominatrix”, and “Angelina Jolie Hot On The Runway.” That’s ten explicit results out of twenty links — suggesting that explicit materials are remarkably widespread on Zango’s site.

The initial version of this article also flagged Zango’s “Nice But” (s.i.c.), a video that on May 27 occupied the fourth-most prominent position in Zango’s “Browse” listings. The thumbnail image of this video appeared to feature a full-screen display of a man’s naked buttocks, filling the entire screen. In a follow-up, Zango points out that in fact, the video shows an extreme close-up zoom of of two hands. So this image and video are not actually explicit. Yet a viewer merely flipping through Zango’s listings would nonetheless see an image that is, by all indications, explicit. The title “but” (s.i.c.) and the keyword “naked,” both adjacent to the thumbnail, reinforce the user’s perception of having seen an unrequested explicit image. Although the image is not actually explicit, the image’s content, placement, and labeling make it likely to leave users with the same feeling as an unrequested image that is actually sexually explicit: In both instances, a viewer who merely sees the image and does not watch the video will think he has seen an unwanted explicit image. In my view, Zango errs in mocking this harm. To the users who Zango tricks, the harm is perfectly real.

Zango’s audio library consists solely of prank phone calls to celebrities

Zango Offers Prank Phone Call Recordings Zango Offers Prank Phone Call Recordings

Zango’s content library offers three types of media: Videos, screensavers, and audio. Despite Zango’s much-touted “content economy,” Zango offers just eight audio clips. And although Zango’s “About Zango” description promises to provide free access to “music,” in fact all eight of these audio files are recordings from talk radio — just voices, with no music at all.

All eight of Zango’s audio recordings share a common theme: Prank phone calls to celebrities. In each, a caller pretends to be someone famous (e.g. the Prime Minister of Canada), and calls a celebrity (e.g. Bill Gates) under the guise of a bona fide discussion. The caller proceeds to berate the celebrity (e.g. by criticizing the features and reliability of Windows).

A comment in several of the videos reveals the source of the recordings: The Masked Avengers, which Wikipedia describes as “a Canadian radio duo … of disk jockeys and comedians Sebastien Trudel and Marc-Antoine Audette, known for making prank calls to famous persons by pretending to be government officials or officers in charitable organizations.” I wrote to Mr. Trudel, who confirmed to me that he has not granted Zango any license to use or reproduce these clips.

After placing these recordings in its content library, Zango further syndicates the materials onto Zango’s partner sites. For example, celebsprankd.com (screenshot) features all eight recordings, but requires users to install Zango before listening. Whois reports that Celebsprankd comes from the Vancouver, B.C. advertising firm Neverblue Media — a conclusion confirmed by the presence of the Neverblue.com web server at the same IP address. Neverblue describes itself as a “leading … online marketing company” offering “premier” advertising and “solid business leads” — claims arguably inconsistent with distributing and profiting from prank phone calls, not to mention distributing Zango. (But these recordings aren’t Neverblue’s only tie to Zango. This month alone, my Automatic Spyware Tester found eleven incidents of Neverblue affiliates buying popup traffic from Zango. I’ve also found dozens more incidents as to Neverblue affiliates buying traffic from other spyware.)

What of Zango’s distribution of these prank call recordings? With so few clips yet such prominent placement (including five of these eight audio recordings featured on Zango’s home page), senior Zango staff surely know what the files contain. Does Zango support prank phone calls? Wasting celebrities’ time under false pretenses? Recording phone calls without permission, even in states that specifically require such permission? It’s hard to reconcile these practices with Zango’s supposed reforms.

Widespread material users can get elsewhere for free, without any popups or other detriments

Much of Zango’s content is available elsewhere without charge and without installing any software that tracks online behavior or shows popup ads. For example, clicking Zango’s “Browse” tab and retaining defaults, every single video on the first page of results is syndicated from Revver. Users could just as easily get these videos directly from Revver, as receive them from Zango. But if users watched these videos at Revver, Zango’s software would not track their web browsing and searching, and users would not receive Zango’s popup ads.

Zango Falsely Claims that Uninstallation Eliminates Content Access Zango Falsely Tells Its Users:
“Uninstallation … eliminates content access”

Furthermore, Zango makes untrue claims about the necessity of its software. For example, Zango claims that “uninstallation … eliminates content access.” It does not. For files hosted at Revver, installation of Zango is not necessary to watch the videos in the first place, and uninstallation does not interfere with watching the videos later. Moreover, even many Zango-hosted files can be accessed without installing Zango, or after uninstalling Zango. For example, Zango’s “Chris Rock on the Daily Show” is actually just a standard Windows Media Video (WMV) distributed from the following URL: preview.licenseacquisition.org/123/1054944882.36393/yikers_chris_rock_on_the_daily_show.wmv . Zango’s “Borats First Trip To An American Gym” (s.i.c.) is preview.licenseacquisition.org/123/1054944854.02531/yikers_borats_first_trip_to_an_american_gym.wmv . Similarly, Zango’s “Bill Gates Gets Pranked” is a WMA hosted at preview.licenseacquisition.org/13/12295/12295.wma . Any user who knows these URLs can easily receive the corresponding files — without ever installing Zango, or after uninstalling Zango. Zango ought not claim otherwise.

Presenting material that content creators never asked to have included in any Zango library

By syndicating videos from Revver, Zango causes its video library to feature materials that content creators never asked to have associated with Zango in any way.

Zango’s syndication of Revver videos has prompted numerous complaints content creators who post videos to Revver. For example, Chris Pirillo asked why his videos are appearing on Zango. (“I don’t remember giving Zango permission to push crapware on my behalf.”) Revver forum user JPPI pointed out the irony of Zango claiming his videos were “FREE, thanks to Zango” when in fact the videos were free all along (even before Zango syndicated them). Revver forum user David complained that it is “kinda deceptive” (s.i.c.) “to make it sound like Zango was the one who made the video free.”

In response, Revver Vice President Asi Behar agreed to ask Zango to remove any Revver videos that Revver authors specifically so designate. But such removals do nothing to cure the deception of Zango requiring that users install its software before watching materials widely available elsewhere for free. Furthermore, such removals do nothing to protect Revver content creators who are unaware of Revver’s relationship with Zango. The word “Zango” appears nowhere on Revver’s official web site (as distinguished from Revver’s forums and some Revver-hosted videos). Thus, a Revver content creator has no easy way to learn about Revver’s relationship with Zango — not to mention learn of the option to request exclusion from Zango.

Zango’s syndication of Revver videos risks tainting the good name of Revver content creators. Consider a user who searches for a Revver video and finds that video hosted at Zango (just as Chris Pirillo did last year). The user may mistakenly conclude that installing Zango is in fact necessary to watch the video. If so, the user is likely to end up with a negative view of the underlying content creator — mistakenly concluding that, e.g., Chris Pirillo has partnered with Zango or endorses Zango’s activities. Revver forum complaints indicate that numerous Revver users share this concern. Yet Revver continues to syndicate videos to Zango without first checking with content creators.

Zango’s problems in context

Last week, Zango was one of four finalists for the Software & Information Industry Association’s CODiE Best Video Content Aggregation Service. In my view, that award is misguided: Far from deserving praise, Zango should be criticized and shunned for reproducing others’ copyrighted work without any apparent license to do so, showing sexually-explicit material unrequested, and offering users a lousy value by bundling extra ads with content users could get elsewhere for free.

Meanwhile, Zango continues litigation with Kaspersky. Recall: Kaspersky blocked Zango’s software from installing; Zango sued; Kaspersky successfully defended on the grounds that the Communications Decency Act, 47 USC 230, immunizes Kaspersky’s behavior because Kaspersky is an “interactive computer service provider” blocking material that, in its subjective opinion, is “objectionable.” In Zango’s appeal, Zango claims its software is not “otherwise objectionable” (brief pages 12-15; PDF pages 17-20). If it’s not objectionable to show explicit material unrequested — not to mention to infringe copyrights on a massive scale, and to insert extra ads around material available elsewhere without such ads – then I don’t know what is.

Finally, I’m often asked whether Zango continues the behaviors I previously reported. Installing through sneaky fake-user-interface pop-up ads that mimic the appearance of official Windows dialog boxes (as I reported last summer)? Yes. I made a fresh video showing such installations just last week.Defrauding advertisers through popups that cover merchants’ sites with their own affiliate offers(as I reported last spring, in September 2005, in summer 2004, and otherwise)? Definitely. This month alone, I reported six Zango incidents to just one of my advertiser clients — not to mention scores of other incidents targeting other web sites and advertisers. Zango repeatedly claims its problems are all in the past, but my hands-on testing continues to indicate otherwise.

Opening Dot EU (teaching materials)

Edelman, Benjamin. “Opening Dot EU (A).” Harvard Business School Case 908-052, March 2008. (Revised April 2008.) (educator access at HBP. request a courtesy copy.)

EURid considers possible market mechanisms to allocate initial domain names within the Internet’s newly-created “dot EU.” European Union regulations and community norms substantially constrain EURid’s approach, preventing the use of the most natural economic mechanisms (such as auctions).

Supplement:

Opening Dot EU (B)- Supplement (HBP 908053)

Coupons.com and TRUSTe: Lots of Talk, Too Little Action updated March 20, 2008

Six and a half months ago, I reported a variety of bad practices at Coupons.com. Key among my concerns: Coupons.com stored data in deceptive filenames and registry entries designed to look like part of Windows — with names like c:\WINDOWS\WindowsShellOld.Manifest.1 and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Style. Furthermore, Coupons.com failed to remove these files upon a user’s specific request to uninstall.

Because Coupons.com was certified by TRUSTe Trusted Download, I reported these behaviors through TRUSTe’s Watchdog form. TRUSTe investigated and, it claimed, required Coupons.com to make changes. Last month, TRUSTe declared success: “Coupons, Inc. rolled out a number of significant changes …. To improve registry key and naming (s.i.c.), the new version of the software uses an improved security scheme that writes only one registry key placed in a typical location, named in an appropriate manner.” TRUSTe concluded by giving itself a pat on the back — calling this sequence “an excellent outcome” in that “[a] user found a problem, filed a complaint, and TRUSTe worked with the Participant to make necessary corrections.”

I wanted to see for myself whether TRUSTe’s oversight is as effective as TRUSTe claims. So I downloaded Coupons.com’s current software onto an ordinary computer in my lab. (I couldn’t use a VMware virtual machine because Coupons.com detects VMware and refuses to install.) To my dismay, Coupons.com’s software continued to create the same deceptively-named files and registry keys I reported in August:

c:\WINDOWS\uccspecc.sys
c:\WINDOWS\WindowsShellOld.Manifest.1
HKEY_CLASSES_ROOTManifest.Template.1shellex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uccspecc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Style
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\EnableAutoTrayHistory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\UrlDecoding

I prepared a screen-capture video to confirm and memorialize the deceptively-named files and registry keys. (My video begins by showing the New York Times front page, to demonstrate the date of testing.)

I then used Control Panel – Add/Remove Programs to attempt to uninstall Coupons.com’s software. I found that the specified files and registry keys all remained in place — even though TRUSTe further promised that “[t]he new version uninstaller removes the files.”

What’s going on? Maybe TRUSTe tested a different version of Coupons.com’s software than the version offered to the public. Maybe Coupons.com posted the wrong file. But whatever the reason, TRUSTe’s claims are inconsistent with my test results.

TRUSTe’s Oversight and What to Do Next

My testing indicates that Coupons.com has not made the changes TRUSTe specified. In particular, Coupons.com continues to use multiple registry keys and filenames with intentionally deceptive locations and names — exactly contrary to TRUSTe’s claim that “only one registry key” is used and that it is placed in a “typical location” with an “appropriate” name. Furthermore, Coupons.com leaves these files and registry keys after uninstall — exactly contrary to TRUSTe’s claim that the new uninstaller “removes the files left behind.”

Far from TRUSTe’s self-congratulatory rhetoric, Coupons.com’s practices reflect badly on TRUSTe: Despite clear violations widely reported 6+ months ago and a supposed investigation by TRUSTe, the problems continue to this day.

Worse, through two different channels, TRUSTe has falsely told users they can trust Coupons.com. First, Coupons.com has continuously remained on TRUSTe’s Trusted Download “whitelist” despite my initial report. That is, TRUSTe continued to certify Coupons.com even when TRUSTe knew of Coupons.com’s deceptive practices and even when there was no dispute that the practices were ongoing. A better strategy, per my September 2007 recommendation, would be to suspend violators until they have fully corrected their practices. Otherwise, a user looking at the “whitelist” cannot know which companies are truly in good standing, versus which have fallen short and are must make improvements.

Second, TRUSTe has posted announcements (1, 2) that falsely characterize the status of Coupons.com’s improvements: In September TRUSTe promised the changes would be “completed within 90 days” — but in fact, they’re still not in place 180 days later. In February TRUSTe proclaimed the changes complete — but in fact Coupons.com’s software still has the same problems I previously identified.

These failings go to the core of TRUSTe’s promise to “make privacy your choice.” TRUSTe claims to be giving users the information they need to make informed decisions. However, TRUSTe’s information is systematically in error — to the benefit of the companies that pay TRUSTe to get certified, but to the detriment of any users who mistakenly rely on TRUSTe’s investigations.

An Additional Violation: Executable Software Left Behind After Uninstall

My recent tests also revealed a new file I hadn’t noticed in prior tests: c:\WINDOWS\system32\cpnprt2.cid. How did I miss this file? It appears only after a user first prints a coupon — not when a user initially installs Coupons.com software. So this file wasn’t created in my prior testing.

Despite the file’s unusual .CID extension, the file is actually a DLL containing executable code. Although “cpnprt” bears some relationship to Coupons.com’s product name (“CouPoN PRinTer”), I can see no proper reason to place this file within c:\WINDOWS\ rather than in c:Program Files\Coupons with Coupons.com’s other files. So Coupons.com’s improper file locations include not only data files (like those listed above), but also executable code.

Moreover, I see no proper reason for calling the file a .CID rather than the DLL that it is. This misnaming serves to further obfuscate the file’s purpose and to prevent typical users from determining that the file contains executable software code.

In separate testing, I confirmed that this file remains on a user’s computer even after the user removes Coupons.com’s software. (This too is shown in my screen-capture video.) So Coupons.com leaves behind not just data, but also executable software. Leaving executable code stands starkly in contrast to Coupons.com’s license agreement which mentions only that “license keys wil not be removed when the Software is uninstalled” — but says nothing about software code left behind.

Coupons.com violates TRUSTe Trusted Download requirements when it leaves executable code after a user’s uninstall request. Trusted Download rule 7.(a)(ii) requires a complete uninstall and allows only limited exceptions — none of them applicable here. (The closest exception allows “properly disclosed anti-fraud … measures” — but this practice is not “properly disclosed,” nor is surviving executable code required to track whatever practices might conceivably be at issue.) Coupons.com’s cpnprt2.cid file therefore constitues another violation of applicable Trusted Download rules.

Coupons.com’s Ongoing DMCA Litigation with John Stottlemire

Last summer I mentioned Coupons.com’s misguided DMCA litigation against John Stottlemire. The case drags on: John’s blog reports ongoing events, including John’s motion to dismiss, the court’s granting of that motion, Coupons.com’s second amended complaint, and John’s second motion to dismiss.

My view remains that this litigation is ill-advised for Coupons.com: Coupons.com has too much work to do, improving its own software and its own business practices, to waste management time and attention on pursuing a user who merely helped others remove deceptively-named files and registry keys. Coupons.com has nothing to gain here: Even if Coupons.com can force John to stop telling users how to remove unwanted Coupons.com software, others will immediately pick up where John left off.

There’s plenty more to be said about the case — especially, concern at using the DMCA to stifle useful public-interest discussion of how to remove unwanted software from an ailing computer. But I’ll leave that to others: TechDirt, Wired, and various bloggers.

Update (March 20, 2008)

TRUSTe’s Response and My Hands-On Testing

In a March 19 posting, TRUSTe claims that the issues described above reflected Coupons.com software available only between March 15 and March 17. But TRUSTe stands behind its February report that Coupons.com had “addressed [the] concerns” TRUSTe previously raised based on my prior article. I emphatically disagree. In particular, my hands-on testing, memorialized in video records, clearly demonstrates that Coupons.com continues to violate TRUSTe’s prior instructions and applicable TRUSTe rules. Consider my March 19 video:

1. At 0:02, I demonstrate the current date and time. I then run an InCtrl scan to record existing files and registry keys.

2. At 1:15, I begin to browse the Coupons.com site, and at 1:25 I attempt to print a coupon. 

3. At 1:33, I begin to install the Coupon Printer program, including providing a name and email address when requested (2:20). 

4. At 2:55, I browse c:\WINDOWS\ to show the newly-created and deceptively-named CID file (as discussed above).  I then proceed to find a file by the same name placed in c:\WINDOWS\system32 also.

5. At 3:30, I rerun Inctrl to identify newly created files and registry keys.  The results are visible beginning at 5:35.  I notice the HKEY_CLASSES_ROOT\English.cpl registry key in the listing (5:45), and at 5:50 I use Regedit to confirm that the key is indeed present. 

6. At 6:30, I request an uninstall in the usual way (Control Panel – Add or Remove Programs).  I then show that deceptively named file remains in c:\WINDOWS\ (7:14) and c:\WINDOWS\system32 (7:08); despite my uninstall request, these files were not removed.  I show that the deceptively-named registry key remains also (7:02). 

The Violations Revealed by My Hands-On Testing

The preceding video presents three separate different violations of TRUSTe rules and of TRUSTe’s prior representations of Coupons.com’s supposed compliance:

A) Step 4 shows a deceptively-named file placed on a user’s computer. There is no proper reason to call this file a .CID rather than the DLL that it is. Nor is there any proper reason for Coupons.com to place the same file in both c:\WINDOWS\ and c:\WINDOWS\system32. Indeed, my tests indicate that Coupons.com sometimes uses one of those folders, sometimes the other, and sometimes both — a randomization procedure with no proper purpose, but with the natural effect of confusing users and hindering detection and removal.

These deceptive filenames are exactly contrary to TRUSTe’s claim that it has resolved the problem of Coupons.com’s “inappropriately-named files.” These deceptive filenames and randomized locations also violate TRUSTe rule 14(e)(v), which prohibits “using randomized or intentionally deceptive file names … for the purpose of avoiding detection and removal.”

B) Step 5 shows a deceptively-named registry key. Coupons is not, and is not commonly known as, “English.cpl.” Indeed, the file extension “CPL” indicates a Control Panel applet or extension — but Coupons.com offers no such extension. Neither does Coupons.com have any proper basis to place its configuration data in HKCR — a registry area reserved for file extensions and COM class registrations. Rather, Coupons.com clearly chooses this area to store its configuration data because users would never think to look here. Indeed, in repeated testing, I found that Coupons.com sometimes used other keys instead. For example, in a separate video early on March 19, I found that Coupons.com used HKCRWeb.Template.URL rather than HKCREnglish.cpl. Randomization of registry keys further confirms that Coupons.com uses these registry locations to avoid detection.

These randomized and intentionally-deceptive registry keys are exactly contrary to TRUSTe’s claim that all registry keys are “placed in a typical location [and] named in an appropriate manner.” These deceptive filenames and randomized locations also violate TRUSTe rule 14(e)(v), which prohibits “using randomized or intentionally deceptive … registry entries for the purpose of avoiding detection and removal.”

C) Step 6 shows that Coupons.com fails to remove all its files and registry keys upon a user’s specific request to uninstall.

The retention of these files is exactly contrary to TRUSTe’s claim that the “new version uninstaller removes the files left behind.” The retention of these files also violates TRUSTe rule 7.(a)(ii), requiring a complete uninstall and allows only limited exceptions — none of them applicable here.

The retention of these files also violates Coupons.com’s license agreement — which mentions only that “license keys will not be removed when the Software is uninstalled,” but says nothing about software code left behind. Although TRUSTe’s Trusted Download rules do not specifically require that a company comply with the provisions of its license agreement, I take such compliance to be so obvious that it does not require a specific mention. Coupons.com’s violation of representations in its own license agreement therefore constitutes yet another violation of TRUSTe requirements.

Additional Violations: Coupons.com Retrieving Windows CD key and system serial numbers

In testing using API and registry-monitoring tools, I have determined that Coupons.com retrieves a wide variety of sensitive Windows registry keys and computer configuration settings including Windows Product ID, Windows CD key, motherboard serial number, and hard drive serial number. These numbers serve to identify a specific individual computer, and these numbers persist over the lifetime of a computer. Coupons.com. These practices stand in sharp contrast to Coupons.com’s representations to users:

  • The Coupons.com “promo” promises that “The Coupon Printer does not gather or ask for any personal information about … your computer.” Yet my testing indicates that Coupons.com gathers detailed computer-specific information about each computer on which it is installed.
  • Coupons.com’s privacy policy similarly promises that “The Coupons, Inc. software … only collect[s] information about what coupons have been printed and redeemed from your computer” — again, directly at odds with my observation that Coupons.com collects far more information.
  • Coupons.com’s license agreement discloses this information collection only by admitting that the “software uses anonymous, assigned numbers and/or anonymous information about your computer or device.” But the numbers at issue are not anonymous: These numbers identify a specific individual user based on the user’s unique and unvarying Windows CD key, motherboard serial number, and hard drive serial number. TRUSTe rule 1.qq defines such information to be pseudonymous (“information that may correspond to a person [such as] machine ID”), while rule 1.i defines anonymous information to exclude all pseudonymous information. Coupons.com thus errs in characterizing these numbers as “anonymous.” Moreover, Coupons.com errs in disclosing this data collection practice only in its license agreement; because this practice speaks to user privacy, it belongs in Coupons.com’s privacy policy.

TRUSTe’s Ineffective Investigation and Response

TRUSTe staff could have identified each of these defects when they tested Coupons.com software in February. Instead, TRUSTe staff issued a boilerplate endorsement — failing to identify shortcomings that would have been apparent in any careful analysis.

Remarkably, even after my post above and even after John Stottlemire’s March 18 post detailing many of these issues in great detail, TRUSTe nonetheless described Coupons.com’s problems as “corrected.” TRUSTe even called this process “a good example of how the [Trusted Download] program should work.” I emphatically disagree: Coupons.com remains flagrantly in violation of TRUSTe’s instructions and rules, and TRUSTe has failed either to obtain suitable corrections or to eject Coupons.com from its whitelist.

To this day, Coupons.com is in breach of TRUSTe’s rules, and TRUSTe knows it. Yet Coupons.com remains listed on TRUSTe’s whitelist as if its practices are beyond reproach and as if the company is in good standing vis-a-vis TRUSTe’s rules. That’s outrageous, and users should demand better.

Critiquing C-NetMedia’s Anti-Spyware Offerings and Advertising Practices

Not every “anti-spyware” program is what it claims to be. Some truly have users’ interests at heart — identifying and removing bona fide risks to privacy, security, stability, or performance. Others resort to a variety of tricks to confuse users about what they’re getting and why they purportedly need it.

This article reports the results of my examination of anti-spyware software from C-NetMedia. I show:

  • Deceptive advertising, deceptive product names, and deceptive web site designs falsely suggest affiliation with security industry leaders. Details.
  • The use of many disjoint product names prevents consumers from easily learning more about C-Net, its reputation, and its practices. Details.
  • High-pressure sales tactics, including false positives, overstate the urgency of paying for an upgraded version. Details.

Note that C-NetMedia is unrelated to the well-known technology news site CNET Networks. Details.

Deceptive advertising, deceptive product names, and deceptive web site design falsely suggest affiliation with security industry leaders.

Some C-NetMedia products are marketed using practices, keywords, labels, and layouts that falsely suggest they come from security industry leaders. This suggestion comes from both the actions of C-Net itself, as well as from the actions of C-Net’s marketing partners.

Google Shows Deceptive Ads for C-Net's Products
Google Shows Deceptive Ads for C-NetMedia’s Products

Consider the top three ads for a Google search for “Spybot”, a popular early anti-spyware program (full name “Spybot Search & Destroy”). As shown at right, the top three ads each specifically mention “Spybot” — the first two, in directory names; the third, in its domain name. Furthermore, all three ads also include the distinctive and original phrase “Search & Destroy” that specifically describes the genuine Spybot product. Yet in fact each of these three ads takes users to the unrelated site spywarebot.com (emphasis added) (screenshots: 1, 2, 3). Clicking the first ad immediately takes a user to spywarebot.com via the ClickBank advertising network. As to the second and third ads, traffic flows through independent “landing page” sites which in turn show ClickBank links to promote Spywarebot. These landing pages are hosted on the deceptively-named domains named spybot-sd-info.com and www-spybotcom.com — each further (but falsely) suggesting an affiliation with the genuine “spybot” product.

C-NetMedia partners similarly fill top ad spots for a search for “Ad-Aware”, another well-known anti-spyware program. The top ad promotes C-Net’s adwarealert.com — a name particularly likely to confuse users because the ad’s title and domain differ from the user’s request by just a single letter. The first ad takes the user to adwarealert immediately, while the second ad takes users to a www-ad-ware.com landing page which also promotes adwarealert.com (again via ClickBank).

Other deceptive C-NetMedia partners pervade search results for spyware-removal search terms. See e.g. “Spybot-free.com” using distinctive “Spybot” “Search & Destroy” marks to promote C-Net’s spywarebot.com. See also C-Net’s Registrysmart.com advertising with ad title “Microsoft Antispyware” in Google results for searches on “Microsoft Spyware”. Because the Registrysmart ad title touts “Microsoft Antispyware”, users might reasonably think the ad will yield an official Microsoft site that actually provides the free “Microsoft Antispyware” product. But in fact the link leads only to a C-Net site with paid products.

C-NetMedia may claim that these ads were placed by affiliates. But the actions of these affiliates are prominent — occurring on search terms as well-known as “Spybot” and “Ad-Aware.” These actions are also longstanding: My October 2006 False and Deceptive Pay-Per-Click Ads shows that some of these ads have continued for more than a year. Furthermore, these affiliates act for C-Net’s benefit, and C-Net has the right and ability to monitor them, to oversee their activities, and to limit their efforts as it sees fit. Finally, FTC litigation confirms that companies can be liable for the actions of their affiliates and marketing partners. See e.g. US v. APC Entertainment (advertiser liable for sexually-explicit unsolicited commercial email sent by its affiliates), In the Matter of Zango, Inc. (advertising software company liable for nonconsensual and deceptive installations of its software by its partners), In the Matter of Direct Revenue LLC (same).

C-NetMedia’s involvement in these advertising practices is heightened by C-Net’s own selection of product names. C-Net, not its affiliates, chose product names so close to established market leaders — names that invite consumer confusion. C-Net furthers the confusion by calling its products “official” (e.g. “The Official Ad-Ware Client“, emphasis added) when there is no meaningful sense in which C-Net’s products are more “official” than any other. Indeed, when users arrive at C-Net sites after requesting similarly-named better-known competitors, C-Net’s offerings are exactly not the official products users specifically requested by name.

Some C-Net sites are also deceptive in that their titles and graphic design falsely suggest they are an official part of Windows. Consider antispyware.com. The site’s heading presents the generic title “AntiSpyware For Windows” — without mentioning any company name or showing any other prominent indication that the product is not actually part of Windows. Furthermore, antispyware.com shares numerous graphic design elements with official Microsoft sites: Like official Microsoft sites, antispyware.com features a broad blue bar across the top of the page, bold white type at top-left with smaller white type at top-right, a grey navigation bar down the left edge (with thin black lines as section separators, and with simple black text), a grey nav bar down the right edge (with broad grey bars to separate sections, and with blue bulleted text), a grey background, a skewed 3D rendering of a product screen at page center, and a vivid colored bubble at top-center, linking to a product download. See the two screenshots below — antispyware.com on the left, and the official Microsoft Windows Defender download page on the right. These many visual similarities make it especially likely that a user at antispyware.com will mistakenly believe the site is an official Microsoft offering.

 
C-NetMedia’s Antispyware.com
 
Microsoft Windows Defender

Some C-NetMedia sites give users the false impression that they are bona fide informational sites rather than commercial advertisements. For example, Remover.org presents itself as a general-purpose spyware information site, but Remover.org actually promotes only one product — C-Net’s “AntiSpyware For Windows.” Furthermore, Remover.org claims to have “one goal and one purpose: to win the war on spyware” — suggesting a non-commercial purpose, when in fact Remover charges a fee for its removal program. The totality of these practices suggests that a user at Remover.org may reasonably think he is viewing an ordinary informational site and/or a source of unbiased reviews, when in fact the site is a C-Net advertisement.

Hindering Consumer Investigations through Use of Numerous Product Names and Domains

C-Net uses exceptionally many product names and domain names. My analysis indicates that the following products and domains all come from C-NetMedia:

Site Whois IP Address Trademark
adware.pro Whois-Proxy 72.32.100.197  
ad-warealert.com Domains By Proxy (GoDaddy) 72.32.242.170 – C-Netmedia 77047467 – November 20, 2006 – C-Netmedia
adwarealert.com Domains By Proxy (GoDaddy) 72.32.29.230 77047467 – November 20, 2006 – C-Netmedia
adwarearrest.com Syber Corporation
8400 East Prencitce Avenue, Ste 1500  
Greenwood Village CO 80111
72.32.134.197  
adwarebot.com Domains By Proxy (GoDaddy) 72.32.242.171 – C-Netmedia  
antispyware.com Domains By Proxy (GoDaddy) 72.32.26.195 77073855 – December 30, 2006 – C-Netmedia
antispywarebot.com    Domains By Proxy (GoDaddy) 72.32.48.186 77047469 – November 20, 2006 – C-Netmedia
errorkiller.com C&C Networks
3630 County Ct S
Mobile, AL 36619  
72.32.242.171 – C-Netmedia    77047443 – November 20, 2006 – C-Netmedia   
errorsmart.com Domains By Proxy (GoDaddy) 73.32.26.195  
errorsweeper.com Domains By Proxy (GoDaddy) 73.32.48.186 77047440 – November 19, 2006 – C-Netmedia
evidenceeraser.com  Domains By Proxy (GoDaddy) 73.32.29.230 77073969 – December 31, 2006 – C-Netmedia
free-pc-repair.com Ofer Shoshani
747 Durshire Way
Sunnyvale, CA 94087
72.32.100.197  
free-registrysmart.com    Domains By Proxy (GoDaddy) 72.32.242.171 – C-Netmedia 77047441 – November 20, 2006 – C-Netmedia
macrovirus.com Domains By Proxy (GoDaddy) 72.32.242.171 – C-Netmedia  
malwarebot.com Domains By Proxy (GoDaddy) 72.32.242.169 – C-Netmedia 77047470 – November 20, 2006 – C-Netmedia
privacycontrol.com Domains By Proxy (GoDaddy) 73.32.48.186 77073857 – December 31, 2006 – C-Netmedia
privacycontrols.com Domains By Proxy (GoDaddy) 73.32.48.186 77073859 – December 31, 2006 – C-Netmedia
regclean.com Domains By Proxy (GoDaddy) 73.32.48.186  
regrecall.com Domains By Proxy (GoDaddy) 73.32.90.213  
registrybot.com Domains By Proxy (GoDaddy) 72.32.242.169 – C-Netmedia 77047445 – November 20, 2006 – C-Netmedia
registryclear.com Bruce Cope
3630 County Ct S
Mobile, AL 36619
72.32.134.197  
registrysmart.com PrivacyPost (Dotster) 73.32.29.230 77047441 – November 20, 2006 – C-Netmedia
regsweep.com Domains By Proxy (GoDaddy) 73.32.26.195 77047438 – November 19, 2006 – C-Netmedia
remover.org Domains By Proxy (GoDaddy) 72.32.26.195  
restore-pc.com Domains By Proxy (GoDaddy) 73.32.29.230  
spywarebot.com Domains By Proxy (GoDaddy) 73.32.134.197  
spywareremover.com C&C Networks
3630 County Ct S
Mobile, AL 36619
64.49.219.215  

The United States Patent and Trademark Office’s Trademark Search provides the brunt of my evidence that the listed sites are associated with C-Netmedia. Other evidence comes from the 73.32.242.168-175 network block that C-Net uses at Rackspace. (Rackspace also hosts all of the other listed C-Net sites. The 64.49.219.215 server is indeed a Rackspace server, despite its distant IP address.) My conclusion is bolstered by the many other similarities among these sites, including their common substantive theme, structure, layout, registration method, and advertising relationships and suppliers. Furthermore, the sites’ programs are largely similar — with identical detections, false-positives, and user interfaces.

An ordinary user would face substantial difficulty in determining that a given site is operated by C-NetMedia or in finding C-Net’s contact information. At a few of the sites, a user would at least find a street address in Whois. But the other domains all lack useful Whois data. Furthermore, while the listed web sites offer email and/or chat support, they all lack a phone number, mailing address, or even a legal name or place of incorporation. A user seeking to send a formal complaint therefore has no clear means to do so. Savvy users might notice a reference to C-NetMedia within a program’s license agreement. But these references appear only in the licenses shown by programs’ installers — not in the license agreements linked from the corresponding web sites. So these references to C-Net are especially hard to find after a user has already received C-Net software.

A user who manages to identify the C-Net company name, e.g. from trademark applications, is still substantially stymied in learning more about the company. The name “C-NetMedia” immediately suggests an association with CNET Networks, Inc., the well-known news site at www.cnet.com. In fact C-NetMedia and CNET Networks are entirely unrelated. But by choosing a name that matches an existing company, C-Net hinders attempts to learn more about its practices: Searches for “C-Net” overwhelmingly yield references to CNET Networks.

C-Net’s use of many names brings valuable benefits to C-Net but real costs to users: The numerous names prevent users’ unfavorable views of specific C-Net products (examples: 1, 2, 3, 4, 5) from easily spreading to other C-Net products. If C-Net had only a single product, users searching for that product would easily find the complaints of prior dissatisfied users. But by shifting from name to name, C-Net can abandon product names with unfavorable coverage, in each instance starting fresh with a new name. In this regard, C-Net’s approach is strikingly similar to Direct Revenue’s use of dozens of company and product names.

It seems C-Net sometimes uses the name 2squared to describe its offerings. The 2squared.com site claims to be the maker of at least some of C-Net’s products (including ErrorSweeper and RegClean). While C-Net’s trademark applications list one address in Mobile, Alabama (590 B Schillinger Road South, Suite 8), 2squared provides the adjacent suite 10.

C-Net’s trademark applications all list Erik Mv. Pelton as their attorney of record. Mr. Pelton’s tm4smallbiz.com site indicates that he is a bona fide trademark attorney with an office in Arlington, Virginia.

High-Pressure Sales Tactics and False Positives

C-NetMedia SpywareBot False Positives C-NetMedia SpywareBot False Positives

Once a user installs C-NetMedia’s free trial software, C-Net resorts to high-pressure tactics to encourage users to make a purchase.

I tested C-Net’s SpywareBot on a clean PC running Windows XP with no service packs,. My test PC was supplemented only by the ordinary analysis tools I use to study spyware and adware infections. SpywareBot detected Regsnap, my registry change-tracking tool, as the “Absolute Keylogger.” Bold red “Warning” messages repeatedly alerted me to the supposed “43 parasites” on my computer, and a “toast”-style slider arose from the bottom-right corner of my screen. Perhaps this was just an ordinary false positive — a mistake that any security program can make. But C-Net’s error was unusually self-serving in that C-Net requires users to pay a fee — in this case $19.95 — before removing any of the items it detects.

C-Net’s many products mean extended further investigation would be required to fully determine the effectiveness and error rates of C-Net’s various programs. Due to the seriousness of the advertising practices described above, I have chosen to post this article without fully testing for such false positives or other deficiencies across all of C-Net’s programs and across a variety of test computers. I will update this article to link to any such research performed by others.

Other Anomalous Marketing Practices: Affiliate Programs, Certifications, and Logos

C-NetMedia’s marketing programs are striking in their generosity: C-Net offers its affiliates 70% commissions on users’ purchases. Such large commissions tend to suggest that charges to users bear little relationship to the underlying cost of providing the service. In particular, when a user arrives at C-Net’s site through an affiliate link, at least 70% of the user’s payment goes towards marketing costs. But if marketing receives 70% of revenue, relatively little remains to fund product design or other core business functions. A user might be better off with a free product — such as the free products with names nearly identical to the names C-Net selected.

Many C-Net sites feature McAfee Hacker Safe certifications.C-NetMedia sites systematically and prominently tout certifications that are substantially irrelevant to the true attributes of C-Net software. For example, C-Net’s Adwarealert site boasts a McAfee HackerSafe logo. When this logo appears on a site offering security software, a user might reasonably think the logo means the site’s software will keep the user safe from hackers. But in fact HackerSafe signifies nothing of the kind: HackerSafe has merely checked the Adwarealert web server for a set of known security problems. C-Net’s use of the HackerSafe certification thus has the tendency to deceive, i.e. to leave users with an untrue impression of the certification’s significance.

Update (February 14, 11:30am): I notice that McAfee has withdrawn HackerSafe certification of C-NetMedia sites. C-NetMedia sites now show blank space where the logo previously appeared.

Adwarealert also features a Microsoft “Certified for Windows Vista” seal. Microsoft’s certification list confirms that Adwarealert did receive this certification. But it seems Adwarealert does not truly qualify for this certification because Adwarealert violates rule 1.11 of the Microsoft certification requirements, namely the requirement that a certified program comply with all applicable guidelines from the Anti-Spyware Coalition. The ASC’s Risk Model negatively characterizes incomplete or inaccurate identifying information; obfuscation; and misleading, confusing deceptive or coercive messaging or false claims to induce users to take action. By failing to readily provide accurate contact information, by using misleading product names, and by reporting false positives with a request for payment, Adwarealert violates each of these requirements. I therefore conclude that Adwarealert is ineligible for the “Certified for Windows Vista” certification.

C-NetMedia’s sites also feature unsubstantiated claims of product benefits. C-Net sites feature the following logos: “Guaranteed – 100% No Adware or Spyware”, “#1 Most Advanced Privacy Software”, “#1 Registry Cleaner”, “100% Safe and Secure”, “Total Privacy Protection,” “Most Advanced Anti-Spyware Detection,” and “World’s #1 Spyware Remover.” None of these claims contains, references, or links to any substantiation, documentation, or other supporting details. Some of these claims are presented in graphical form, i.e. in logos that appear to be endorsements or certifications. But C-Net gives no indication of any bona fide third party offering these endorsements; instead, the graphics seem to be C-Net’s own creation.


Work To Be Done

My analysis shows ample room for online advertising and security vendors to better protect users from C-NetMedia’s deceptive advertising practices:

  • Google and other search engines could block the widespread deceptive ads from C-NetMedia and its marketing partners. C-Net and its partners have continued these practices for more than a year. Google claims to be tough on malware, and Google does exclude some harmful organic search results. But Google has been ineffective in removing the false and deceptive ads shown above, among many others, despite ample complaints from users and security researchers.
     
  • McAfee could remove its Hacker Safe certification from C-NetMedia sites. At present, the McAfee logo gives users the false impression that McAfee endorses C-Net and the McAfee vouches for the effectiveness of C-Net’s software. I gather neither is truly the case. Indeed, McAfee’s HackerSafe certifies some C-Net sites at the same time that McAfee’s SiteAdvisor characterizes rates those same sites as red. In my view, the SiteAdvisor rating better describes the view of security experts and better serves typical users. (Disclosure: I serve as a member of the Board of Advisors of McAfee SiteAdvisor.) (Update, February 14, 11:30am: McAfee has withdrawn HackerSafe certification of C-NetMedia sites.)
     
  • Microsoft could withdraw its Certified for Windows Vista certification on the basis of C-NetMedia’s violations of various ASC rules, as cited above. Anticipating this kind of harmful marketing practices, Microsoft’s certification rules provide ample basis for excluding C-Net on the basis of its deceptive advertising. Microsoft’s concern should be particularly acute because C-Net copied the layout and format of the Microsoft Antispyware site, because C-Net marketing partners trade on Microsoft’s brand name and product names, and because C-Net products worsen the experience of Windows users (i.e. by charging a fee for security software, when Microsoft provides similar software for free).
     
  • ClickBank could eject C-NetMedia from ClickBank’s affiliate network due to the pattern and practice of false and misleading ads placed by ClickBank affiliates in their promotion of C-Net offers. ClickBank’s Client Contract specifically prohibits fraudulent, deceptive, false or misleading information in advertising messages (clause 7.n.), and Clickbank reserves the right to immediately suspend violators (9.d.). But at present, C-NetMedia seems to remain a ClickBank clent in good standing.

Thanks to security researcher Janie Whitty for references on C-NetMedia’s trademark registrations.

A Closer Look at Coupons.com updated September 24, 2007

I recently examined software from Coupons.com. At first glance their approach seems quite handy. Who could oppose free coupons? But a deeper look reveals troubling behaviors I can’t endorse. This piece summarizes my key concerns:

  • Installing with deceptive filenames and registry entries that hinder users’ efforts to fully remove Coupons’ software. Details.
  • Failing to remove all Coupons.com components upon a user’s specific request. Details.
  • Assigning each user an ID number, and placing this ID onto each printed coupon, without any meaningful disclosure. Details.
  • Allowing third-party web sites to retrieve users’ ID numbers, in violation of Coupons.com’s privacy policy. Details.
  • Allowing any person to check whether a given user has printed a given coupon, in violation of Coupons.com’s privacy policy. Details.

The Coupons.com business

Coupons.com offers users coupons which they can print at home, then redeem at retailers.

Coupons.com specifically promises users that they may "use as many [coupons] as [they] like." But in fact, Coupons.com takes great pains to limit how many coupons users can print. Rather than simply letting users print GIF or JPG coupons from an ordinary web page, Coupons.com requires that users install a coupon-printing ActiveX control. Coupons.com also customizes each coupon with information about who printed it and when. These design decisions increase the complexity of Coupons.com’s business — giving rise to the serious consent and privacy issues set out below.

Installing with deceptive filenames and registry entries

On an ordinary test PC that had never previously run any software from Coupons.com, I installed Coupons.com’s Coupon Bar 5.0 software. I requested a coupon to be printed, then ran an "InCtrl" comparison of changes made to my computer. InCtrl revealed the following new files and registry entries:

c:\windows\uccspecc.sys
c:\windows\WindowsShellOld.Manifest.1
HKEY_LOCAL_MACHINE\SOFTWARE\ClassesManifest.Template.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uccspecc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Style
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\EnableAutoTrayHistory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\URLDecoding

Each of these entries consisted of a 30 to 90-letter string of gibberish. For example, the contents of uccspecc.sys exactly matched the contents of the first three registry entries: HtmWSrewvuaCGtKrVlXxMKdbMkLfgHq.

Others have also noticed these oddly-named files. For example, McAfee SiteAdvisor reports every file and registry entry Coupons.com creates.

These Coupons.com filenames and registry keys are deceptive, for at least three different reasons.

1) The labels falsely suggest that the components are part of Windows, rather than third-party add-ins. For example, the files and registry keys are placed in locations reserved for Windows itself, not for third-party applications. Furthermore, Coupons.com’s choice of filename and registry keys affirmatively misrepresents the function of the specified components.

2)The labels falsely suggest that the components are system files. For example, the .SYS file extension has a special meaning to Windows (e.g. for device drivers and other system components), but the Coupons.com file serves no such "system" function. Registry keys as to (supposed) Explorer AutoTray, URL encoding, and folder presentation settings all suggest intuitive meanings. But Coupons.com goes on to use these keys for a purpose unrelated to their names.

3) The labels are confusingly similar to genuine Windows components. For example, WindowsShell.Manifest is a bona fide Windows file, but Coupons.com’s "WindowsShellOld.manifest.1" (emphasis added) has no relationship whatsoever with that file (and is certainly not an "old" version of that file). Similarly, the HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLEncoding registry key is required by Internet Explorer, making Coupons’ choice of the similar URLDecoding (emphasis added) especially likely to confuse typical users.

Coupons.com’s choice of registry keys and filenames has a clear purpose and effect: To deter users from deleting the specified keys and files. Even among users sophisticated enough to manually delete unwanted files and registry keys, the chosen registry keys and filenames look so official that removal appears unwise. The typical result is that users will elect to retain these files, mistakenly concluding that these files are part of Windows.

Coupons.com’s deceptive filenames flout industry norms. For example, the Anti-Spyware Coalition’s Best Practices invite anti-spyware vendors to consider whether a program’s “files have easy-to-understand names and are easy for users to find on their computers” — a test Coupons.com clearly fails. Anti-spyware statutes in Texas and Arkansas specifically prohibit deceptively-named files and registry entries that prevent users from removing software, and TRUSTe Trusted Download rules (which bind Coupons.com as a Trusted Download sealholder) also prohibit deceptive naming to avoid removal. These Texas, Arkansas, and TRUSTe requirements admittedly limit their prohibitions to deceptively-named "software" and to deception that hinders program removal. Perhaps Coupons.com manages to escape these rules by deceptively naming its configuration files (rather than its executable code) or by making its executable code (though not its configuration files) easy to remove. Nonetheless, these authorities reveal the public’s discomfort with deceptive naming. If users are to know what is on their computers and why, vendors must name their files in a way reasonable users can understand. Yet Coupons.com intentionally does exactly the opposite..

Failing to remove all Coupons.com components when users request uninstall

On my test PC, I attempted to uninstall the Coupons.com software in the usual way: Control Panel – Add/Remove Programs – Coupon Printer. The uninstaller claimed to have run successfully. Yet my computer retained the two files and five registry entries set out in the prior section. These files and registry entries remained even after I restarted my test PC.

I had requested an "uninstall" of Coupons.com software — not a partial uninstall, but (for lack of any instruction or indication to the contrary) a complete uninstall. The Coupons.com uninstaller had even paused to ask about a specific "shared system file" it wanted special confirmation to delete — further suggesting a thorough removal procedure. The uninstaller ultimately reported that the uninstall was "successful." Nonetheless, the specified components were left on my computer after uninstall.

Coupons.com’s privacy policy fails to disclose that these files and registry keys — embodiments of a user’s ID number, as explained in subsequent sections — are left behind even after uninstall. The privacy policy discusses cookies (a more common way to store user information) in a full paragraph, including three sentences about "persistent cookies" and how users can remove them. The privacy policy therefore seems to cover all user information that Coupons.com stores on users’ PCs. Yet the privacy policy is entirely silent as to the files and registry entries set out above, and as to their retention even after a user attempts to remove Coupons.com software. Neither does Coupons.com’s software license agreement mention these hidden files — neither their existence nor their retention.

The TRUSTe Trusted Download certification agreement requires "an easy and intuitive means of uninstallation" (provision 7). TRUSTe instructs that uninstallation "must remove the Certified Software from the User’s computer." TRUSTe does not specifically speak to the possibility of a program leaving data files behind after uninstall. But where TRUSTe offers an exception to the requirement of complete removal, that exception is tightly limited to serving a user’s direct and immediate interest. (Namely, TRUSTe allows a program to leave behind a shared component that other programs also rely on, since removing that component would disable the other programs.) Furthermore, TRUSTe’s requirement summary demands that "[u]ninstallation must remove all software associated with the particular application" (emphasis added) — broad language suggesting little tolerance for files intentionally left behind. Since TRUSTe offers only a single exception to the requirement of complete removal, and since that exception is so narrow, I believe TRUSTe will likely take a dim view of certified software intentionally failing to uninstall any of its components.

Printing users’ ID numbers onto coupons

Coupons.com Prints a User's ID Number on Each Coupon Coupons.com Prints a User’s ID Number on Each Coupon

Every coupon printed from Coupons.com bears a series of small numbers. These numbers include the user ID of the user who printed the coupon. See an example coupon printed from my computer, repeatedly reporting my user ID: 35415364.

Coupons.com’s privacy policy does not prominently warn users that Coupons.com will include their user IDs on each printed coupon. As best I can tell, after multiple careful readings of the privacy policy, the only relevant provision is as follows:

Coupons, Inc. discloses "automatically collected" data (such as coupon print and redeem activity) to its Clients and third-party ad servers and advertisers. These third parties may match this data with information that they have previously collected about you under their own privacy policies, which you should consult on a regular basis.

I believe Coupons.com considers user ID numbers to be "automatically collected data," and Coupons.com seems to use the word "Clients" to include product manufacturers as well as retail merchants. On such an interpretation, the quoted language might let Coupons.com print user ID numbers on coupons that are given to retailers and ultimately to merchants. But even if consumers read the quoted language, most consumers will be unable to figure out what it means because the wording is so convoluted and vague.

In lieu of the quoted wording, Coupons.com could simply explain: "We include your user ID on each coupon you print." Such a warning would be clear, concise, and easy to understand. But such a warning would also raise privacy concerns for typical users — perhaps one reason why Coupons.com might prefer more complicated wording.

Allowing third-party web sites to retrieve user ID numbers, in violation of Coupons.com’s privacy policy

Coupons.com Allows Third-Party Sites to Retrieve User ID Numbers Coupons.com Allows Third-Party Sites to Retrieve User ID Numbers

Examining JavaScript code on Coupons.com’s web site, I noticed an apparent design flaw. Testing confirmed my suspicion: Any web page can invoke the "GetDeviceID" method of Coupons.com’s coupon-printing software. The web page then receives the user ID associated with the user’s installation of Coupons.com software.

To confirm this data leakage, see my Coupons.com Software Shares User IDs with Arbitrary Third Parties testing page. If a computer runs current Coupons.com software, this page will display the associated Coupons.com user ID. (However, no information is sent to my web server or otherwise stored or preserved.) This is the exact same ID number that is printed onto users’ coupons. (Screenshot.)

Although Coupons.com user ID numbers appear to be assigned arbitrarily, distribution of these ID numbers raises at least three privacy concerns:

1) This distribution is not permitted under Coupons.com’s privacy policy. Coupons.com’s privacy policy specifically limits the circumstances in which Coupons.com will share user information, and this is not among the circumstances users accept. In particular, Coupons.com says it will disclose certain information to "clients and third-party ad servers and advertisers." But in fact, Coupons.com’s program code makes user IDs available to anyone — even to sites with absolutely no relationship to Coupons.com.

2) Coupons.com user IDs are widespread. As explained in the prior section, a user’s ID is printed onto each coupon the user prints. Broad distribution of user IDs increases the unpredictable consequences of further sharing of ID numbers. For example, a merchant’s web site could cross-check users’ computers against coupons — conceivably even connecting users’ computers back to users’ retail purchase histories. Retailers could similarly use Coupons.com ID numbers to connect a user’s online activity to the user’s in-store shopping habits.

3) Coupons.com user IDs are persistent. Unless a user carefully removes the filenames and registry entries set out in the preceding section, uninstalling and reinstalling Coupons.com software will retain the same user ID. A Coupons.com user ID is therefore highly likely to continue to identify the same user over time. In contrast, other identifiers tend to change over time. For example, many ISPs reassign user IP addresses often. Some users their cookies in an attempt to increase their online privacy. Because Coupons.com user IDs are unusually hard to remove, Coupons.com user IDs are a particularly effective way for sites to track users over an extended period.

This violation of Coupons.com’s privacy policy occurred despite Coupons.com’s membership in the TRUSTe Web Privacy Seal Program, the TRUSTe Trusted Download Program, and the BBBOnLine Reliability Program. Knowing that Coupons.com software assigns each user an ID number and that Coupons.com accesses these ID numbers through its web site, the prospect of leakage to other web sites (in specific violation of Coupons.com’s privacy policy) was obvious and intuitive. Yet it seems TRUSTe and BBBOnLine failed to check for this possibility. This failure is particularly disappointing since TRUSTe’s Trusted Download program claims to specialize in software testing.

Allowing any person to check whether a given user has printed a given coupon

Coupons.com Confirms that a Given User Has Printed a Given Coupon Coupons.com Confirms that a Given User Has Printed a Given Coupon

Coupons.com Reports that a User Has Not Printed a Given CouponCoupons.com Reports that a User Has Not Printed a Given Coupon

Coupons.com’s Veri-fi service, veri-fi.com, lets any interested person determine whether the coupon is (in Coupons.com’s view) "counterfeit [or] fraudulently-altered." But this same mechanism also lets any person check whether a given Coupons.com user (identified only by the user’s Coupons.com user ID) has printed a given coupon — potentially revealing significant information about the user’s purchasing interests.

To confirm the effect of Coupons.com’s Veri-fi service, I entered the codes from the example coupon shown above. I received the first confirmation shown at right — indicating that the specified user ID (me) had printed the specified coupon.

I then entered the same user ID, but a different coupon code. In particular, I chose a coupon code associated with a valid Coupons.com coupon that I had never printed using the specified user ID. As shown in the second screenshot at right, Veri-fi reported that this second code was invalid. That is, Veri-fi reported that the specified user ID had never printed the specified coupon.

Veri-fi seems to work just as Coupons.com intended. However, combining the Veri-fi verification system with the widespread distribution of Coupons.com user IDs (both in print and through JavaScript), Coupons.com reveals detailed information about which users have requested which coupons. Via the JavaScript interface, a web site can easily extract a user’s Coupons.com user ID. Then, via Veri-fi, the web site can check which coupons the user has printed. The web site can thereby build a rich profile of the user’s purchasing interests — despite the promise in Coupons.com’s privacy policy that such information would be distributed only to Coupons.com’s clients, ad servers, and advertisers.

Strikingly, Coupons.com fails to limit Veri-fi to bona fide coupon validators (e.g. retailers and manufacturers). In fact, Veri-fi lacks even a Terms of Service document or a license agreement to attempt to limit who uses the site.

Update (August 28, 2007 – 3:35pm): Coupons.com has contacted me to report that the Veri-fi site no longer allows the data retrieval described above.

Implications & Consequences

A user visiting Coupons.com reasonably expects to get free coupons. Unfortunately, Coupons.com’s practices far exceed anything described in marketing materials, EULA, or privacy policy. Would users join Coupons.com if they knew they had to receive deceptively-named files? That uninstall would leave files behind for possible use later? That every printout would carry a user ID that could be linked to a user’s full coupon-printing history? That Coupons.com’s software and web site would distribute user information in ways even Coupons.com probably didn’t anticipate? We can’t know the answers to these questions because Coupons.com never gave users the opportunity to decide. But with full disclosure, users might well choose to get their coupons elsewhere.

Coupons.com prominently touts its certifications from TRUSTe (including TRUSTe’s new Trusted Download Program) and BBBOnLine. But when these organizations learn of Coupons.com’s specific practices, I doubt they’ll be impressed. Coupons.com’s practices are in tension with various TRUSTe rules, including a Trusted Download prohibition on certain deceptive filenames and registry keys, as well as TRUSTe’s general prohibition on privacy policy violations. More generally, it’s hard to call a program "trusted" when it uses deceptive names to hide some of its key files, when it fails to remove itself fully upon a user’s specific request, and when it makes available users’ identifying information despite privacy policy promises to the contrary. Retaining the credibility of Trusted Download probably requires that TRUSTe take action either to correct Coupons.com’s practices or to sever TRUSTe’s ties to Coupons.com.

Coupons.com could easily fix some of these bad practices. A new version of Coupons.com’s software could prevent arbitrary web sites from retrieving user ID numbers. Coupons.com could stop printing users’ ID numbers on each coupon, or could prominently tell users that each coupon bears a user ID. Coupons.com could limit Veri-fi access to retailers and manufacturers.

With effort, Coupons.com could track users’ coupon-printing without underhanded tactics like deceptive files and registry entries. For one, Coupons.com could label its files and registry keys appropriately — treating its users with dignity and respect, rather than assuming users will try to cheat. Alternatively, Coupons.com could use recognize computers on which it has previously been installed, without resorting to deceptive files or registry entries. (Direct Revenue built such a system — checking a user’s ethernet address, Windows product key, etc. in order to identify repeat installations.) Simpler yet, Coupons.com could request users’ email addresses, and use duplicate addresses to recognize repeat users. Coupons.com may worry that email addresses offer inadequate security, but eBay (Paypal), Google, and others have used this method even for larger offers (as large as $5 – $10).

Coupons.com’s practices fit the historical problems with digital rights management (DRM) software that attempts to constrain what users can do with their own computers. Compare Coupons.com’s approach to the notorious Sony CDs which used a rootkit to conceal Sony’s DRM software. Just as Sony had to rely on a rootkit to hide its DRM software from users who otherwise would have chosen to remove it, Coupons.com hides user IDs in obscure files and registry keys. Just as Sony’s disclosures were less than forthright, so too does Coupons.com fail to tell users what it is doing and how. Based on their examination of software to constrain access to digital music, Ed Felten and Alex Halderman previously explained the core problem: So long as users don’t want a given piece of code on their computers, vendors are forced to conceal their efforts to put it there and to keep it there. As to Coupons.com, some users do want the core functionality. But tracking users after uninstall is sufficiently noxious that Coupons.com knows it must cover its tracks lest users notice. Coupons.com thus finds itself in the same DRM predicament that ensnared Sony.

FullContext Spyware Injects Coupons.com Ads Into Google FullContext Spyware Injects Coupons.com Ads Into Google

Coupons.com is currently suing John Stottlemire, who Coupons.com claims told users "how to beat the limitation imposed by the software provided by coupons.com." (Complaint paragraph 20.) Coupons.com alleges that Stottlemire "created and used software that purported to remove Plaintiff’s security features, for the purpose of printing more coupons than [Coupons.com’s] security features allow." (Paragraph 21) Coupons.com claims that Stottlemire’s practices violate the Digital Millennium Copyright Act, among other causes of action. I can’t speak to the merits of Coupons.com’s claim. But perhaps Coupons.com would do better to focus on protecting users’ privacy and on complying with its privacy policy.

Coupons.com’s behaviors are particularly notable because they extend to multiple coupon-printing programs distributed by literally thousands of web sites. Although I primarily tested Coupons.com’s Coupon Bar software (version 5.0), it seems Coupons.com’s Coupon Printer 4.1 shares all relevant characteristics. (These are the two Coupons.com programs that have been certified by TRUSTe’s Trusted Download.) In addition to distribution at the Coupons.com web site, these programs are also offered by numerous partner sites. Coupons.com’s marketing materials claim more than 1500 such sites, including the LA Times, Washington Times, and Philly.com.

Coupons.com’s online advertising strategy raises trust and privacy questions similar to those presented by Coupons.com’s coupon-printing software. Twice this year I’ve seen and recorded Coupons.com ads shown through spyware: First through the FullContext ad injector (which put Coupons.com ads into the top of Google.com, above Google’s logo), and later through Targetsaver full-screen pop-up ads. Screenshots. Both programs are widespread and known for installing without consent, among other anti-consumer practices. To be a respected player in the online advertising economy, Coupons.com must do more to avoid funding these spyware vendors and the unsavory ecosystem they represent.

Update on Coupons.com’s Response, My Critique, and TRUSTe’s Decision (September 23, 2007)

After I posted the article above, Coupons.com circulated a two-page response. Among other claims, the response argues that the specified registry keys and filenames are "not deceptive." I emphatically disagree. The components are intentionally named to look like they’re part of Windows, and they’re placed in locations where Windows components ordinarily appear. These practices are exactly intended to mislead users as to the components’ purpose. That’s the essence of deception.

Coupons further claims the "user ID" I describe is in fact a "device ID." As a threshhold matter, that would change none of my analysis. But the word "user" comes directly from Coupons.com’s own source code. Coupons’ JavaScript code references a function called "GetUserCode()" (emphasis added) and passes a OBJECT PARAM tag with value USERID (emphasis added). Elsewhere, Coupons.com uses the abbreviation "txtUID" — i.e. a text field storing a user ID. With these repeated "user" references appearing in code written by Coupons.com, Coupons.com cannot credibly claim I err in my use of that same term.

Coupons.com goes on to argue it ought not be responsible for third parties using Coupons.com’s software to obtain user IDs. Coupons says "it is hard to imagine how a third party’s unauthorized use of our software — a sort of trespass … — constitutes our violation of our own privacy policy." I disagree. Perhaps Coupons.com should begin by rereading its privacy policy. Within the heading "our commitment to data security," Coupons.com specifically promises to "use[] commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information." Coupons.com cannot in good conscience claim it is a "commercially reasonable" "technical safeguard" to allow any web site to invoke a simple JavaScript method of Coupons.com’s software. Quite the contrary, this is poor design — falling far short of industry norms for data protection.

Meanwhile, Coupons.com has updated its installer to show a new license agreement. If a user scrolls to the second screen of the license agreement, the user is told of "License Keys" to be placed on the user’s computer. To Coupons.com’s credit, the installer now discloses that these files will not be removed upon uninstall. But the files continue to be placed in deceptive locations in the user’s Windows directory and in the dedicated Windows section of the user’s registry — a fact nowhere disclosed to users.

On August 31, I filed a watchdog complaint with TRUSTe as to the Coupons.com practices set out above. In response, TRUSTe told me it will require Coupons.com to change its naming system "to avoid looking like … other popular software" (i.e. Windows). TRUSTe will also require Coupons.com to offer a new version of its software that removes deceptive files and registry entries leftover from prior versions. (TRUSTe’s blog describes these same requirements, albeit in terms less stark than the email TRUSTe sent me.) These are certainly steps in the right direction. Were the decision mine to make, I doubt I’d keep Coupons.com on the Trusted Download whitelist during a period when the company’s practices are known to fall short. But that’s a topic for another day.

Meanwhile, Coupons.com continues litigation against John Stottlemire. I’ve been in touch with John. I’ve learned that his software — which would have removed Coupons.com’s deceptive files and registry entries upon a user’s specific request — was actually never distributed to anyone but Coupons.com. (John’s web server detected Coupons.com’s IP addresses and granted them access, even before John was prepared to make the software available to anyone else.) This fact leaves me all the more doubtful of Coupons.com’s litigation strategy. John’s software was never used by even a single user. And John’s software would have done nothing more than remove the deceptively-named components TRUSTe is now ordering Coupons.com to remove itself. I remain hopeful that Coupons.com will withdraw this ill-fated attempt to silence a critic. Pending that, I’ve added John’s plight to my spyware threats page.

Finally, Coupons.com’s sneaky tactics continue to undermine its standing in the security community. Some top anti-spyware programs now detect Coupons.com — and rightly so, in my view. Users with Coupons.com software deserve extra information — not forthcoming from Coupons.com — about what the software does and why users might not want it.

False and Deceptive Pay-Per-Click Ads

I present and critique pay-per-click ads that don’t deliver what they promise. I consider implications for search engine revenues, and I analyze legal and ethical duties of advertisers and search engines. I offer a system for others to report similar ads that they find.

Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges.

In the sections that follow, I flag more than 30 different advertisers’ ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word “free”), or that make claims that are simply false. (All ads were observed on September 15 or later.) I then explain why this problem is substantially Google’s responsibility, and I present evidence suggesting Google’s substantial profits from these scams. Finally, I offer a mechanism for interested users to submit other false or deceptive ads, and I remark on Google’s failure to take action.

Charging for software that’s actually free

One scam Google doesn’t prohibit — and as best I can tell, does nothing to stop — is charging for software that’s actually free. Search for “Skype” and you’ll find half a dozen advertisers offering to sell eBay’s free telephone software. Search for “Kazaa” or “Grokster” and those products are sold too. Even Firefox has been targeted.

Each and every one of these ads includes the claim that the specified product is “free.” (These claims are expressed in ad titles, bodies, and/or display URLs). However, to the best of my knowledge, that claim is false, as applied to each and every ad shown above: The specified products are available from the specified sites only if the user pays a subscription fee.

These ads are particularly galling because, in each example, the specified program is available for free elsewhere on the web, e.g. directly from its developer’s web site. Since these products are free elsewhere, yet cost money at these sites (despite promises to the contrary), these sites offer users a particularly poor value.

Often these sites claim to offer tech support, but that’s also a ruse: Tests confirm there’s no real support.

Although sophisticated users will realize that these sites are bad deals, novice or hurried users may not. These sites bid for top search engine placement — often appearing above search engines’ organic (main) results. Some proportion of users see these prominent ads, click through, and get tricked into paying for these otherwise-free programs. Claiming a refund takes longer than it’s worth to most users. So as a practical matter, a site need only trick each user for an instant in order to receive its fee.

The “completely free” ringtones that aren’t

Ringtone ads often claim to be “free,” “totally free,” “all free,” “100% complimentary,” and available with “no credit card” and “no obligation” required. These claims typically appear in pay-per-click ad bodies, but they also often appear in ad titles and even in ad domain names, of course along with landing pages.

Often, these claims are simply false: An ad does not offer a “totally free” product if it touts a limited free trial followed by an auto-renewing paid service (a negative option plan).

Other claims are materially misleading. For example, claiming “no credit card required ” suggests that no charges will accrue. But that too is false, since ringtone sites generally charge users through cell phone billing systems, unbeknown to many users who believe a service has no way to impose a charge if a user provides no credit card number.

Each and every one of these ads includes the claim that the specified product is “free” (or some other claim substantially similar, e.g. “complimentary”). In most cases, subsequent language attempts to disavow these “free” claims. But in each case, to the best of my knowledge, service is available only if a user enters into a paid relationship (e.g. a paid subscription) — the very opposite of “free.” (Indeed, the subscription requirement applies even to unlimitedringtones.com, despite that ad’s claim that “no subscription [is] required.” The site’s fine print later asserts that by requesting a ringtone registration, a user “acknowledge[s] that [he is] subscribing to our service billed at $9.99 per month” — specifically contrary to site’s earlier “no subscription” promise.)

Vendors would likely defend their sites by claiming that (in general) their introductory offers are free, and by arguing that their fine print adequately discloses users’ subsequent obligations. This is interesting reasoning, but it’s ultimately unconvincing, thanks to clear regulatory duties to the contrary.

The FTC’s Guide Concerning the Use of the Word ‘Free’ is exactly on point. The guide instructs advertisers to use the word “free” (and all words similar in meaning) with “extreme care” “to avoid any possibility that consumers will be misled or deceived.” The guide sets out specific rules as to how and when the word “free” may be used, and it culminates with an incredible provision prohibiting fine print to disclaim what “free” promises. In particular, the rule’s section (c) instructs (emphasis added):

All the terms, conditions and obligations upon which receipt and retention of the ‘Free’ item are contingent should be set forth clearly and conspicuously at the outset of the offer … in close conjunction with the offer of ‘Free’ merchandise or service.

In case that instruction left any doubt, the FTC’s rule continues:

For example, disclosure of the terms of the offer set forth in a footnote of an advertisement to which reference is made by an asterisk or other symbol placed next to the offer, is not regarded as making disclosure at the outset.

Advertisers may not like this rule, but it’s remarkably clear. Under the FTC’s policy, ads simply cannot use a footnote or disclaimer to escape a “free” promise made earlier. Nor can an advertiser promise a “free” offer at an early stage (e.g. a search engine ad), only to impose additional conditions later (such as in a landing page, confirmation page, or other addendum). The initial confusion or deception is too strong to be cured by the subsequent revision.

Advertisers might claim that the prohibited “free” ads at issue come from their affiliates or other partners — that they’re not the advertisers’ fault. But the FTC’s Guide specifically speaks to the special duty of supervising business partners’ promotion of “free” offers. In particular, section (d) requires:

[I]f the supplier knows, or should know, that a ‘Free” offer he is promoting is not being passed on by a reseller, or otherwise is being used by a reseller as an instrumentality for deception, it is improper for the supplier to continue to offer the product as promoted to such reseller. He should take appropriate steps to bring an end to the deception, including the withdrawal of the ‘Free’ offer.

It therefore appears that the ads shown above systematically violate the FTC’s “free” rules. Such ads fail to disclose the applicable conditions at the outset of the offer, as FTC rules require. And even where intermediaries have placed such ads, their involvement offers advertisers no valid defense.

Ads impersonating famous and well-known sites

Some pay-per-click ads affirmatively mislead users about who is advertising and what products are available. Consider the ads below, for site claiming to be (or to offer) Spybot. (Note text in their respective display URLs, shown in green type.) Despite the “Spybot” promise, these sites actually primarily offer other software, not Spybot. (Spybot-home.com includes one small link to Spybot, at the far bottom of its landing page. I could not find any link to the true Spybot site from within www-spybot.net.)

In addition, search engine ads often include listings for sites with names confusingly similar to the sites and products users request. For example, a user searching for “Spybot” often receives ads for SpyWareBot and SpyBoot — entirely different companies with entirely different products. US courts tend to hold that competitive trademark targeting — one company bidding on another company’s marks — is legal, in general. (French courts tend to disagree.) But to date, these cases have never considered the heightened confusion likely when a site goes beyond trademark-targeting and also copies or imitates another company’s name. Representative examples follow. Notice that each ad purports to offer (and is triggered by searches for the name of) a well-known product — but in fact these ads take users to competing vendors.

Google’s responsibility – law, ethics, and incentives

Google would likely blame its advertisers for these dubious ads. But Google’s other advertising policies demonstrate that Google has both the right and the ability to limit the ads shown on its site. Google certainly profits from the ads it is paid to show. Profits plus the right and ability to control yield exactly the requirements for vicarious liability in other areas of the law (e.g. copyright infringement). The FTC’s special “free” rules indicate little tolerance for finger-pointing — even specifically adding liability when “resellers” advertise a product improperly. These general rules provide an initial basis to seek greater efforts from Google.

Crucially, the Lanham Act specifically contemplates injunctive relief against a publisher for distributing false advertising. 15 USC § 1125(a)(1) prohibits false or misleading descriptions of material product characteristics. § 1114 (2) offers injunctive relief (albeit without money damages) where a publisher establishes it is an “innocent infringer.” If facing claims on such a theory, Google would surely attempt to invoke the “innocent infringer” doctrine — but that attempt might well fail, given the scope of the problem, given Google’s failure to stop even flagrant and longstanding violations, and given Google’s failure even to block improper ads specifically brought to its attention. (See e.g. World Wrestling Federation v. Posters, Inc., 2000 WL 1409831, holding that a publisher is not an innocent infringer if it “recklessly disregard[s] a high probability” of infringing others’ marks.)

Nonetheless, the Communications Decency Act’s 47 USC § 230(c)(1) potentially offers Google a remarkable protection: CDA § 230 instructs that Google, as a provider of an interactive computer service, may not be treated as the publisher of content others provide through that service. Even if a printed publication would face liability for printing the same ads Google shows, CDA § 230 may let Google distribute such ads online with impunity. From my perspective, that would be an improper result — bad policy in CDA § 230’s overbroad grant of immunity. A 2000 DOJ study seems to share my view, specifically concluding that “substantive regulation … should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world.” But in CDA § 230, Congress seems to have chosen a different approach.

That said, CDA § 230’s reach is limited by its exception for intellectual property laws. § 230(e)(2) provides that intellectual property laws are not affected by § 230(c)(1)’s protection. False advertising prohibitions are codified within the Lanham Act (an intellectual property statute), offering a potential argument that CDA § 230 does not block false advertising claims. This argument is worth pursuing, and it might well prevail. But § 230 cases indicate repeated successes for defendants attempting to escape liability on a variety of fact patterns and legal theories. On balance, I cannot confidently predict the result of litigation attempting to hold Google responsible for the ads it shows. As a practical matter, it’s unclear whether or when this question will be answered in court. Certainly no one has attempted such a suit to date.

Notwithstanding Google’s possible legal defenses, I think Google ought to do more to make ads safe as a matter of ethics. Google created this mess — by making it so easy for all companies, even scammers, to buy Internet advertising. So Google faces a special duty to help clean up the resulting problems. Google already takes steps to avoid sending users to web sites with security exploits, and Google already refuses ads in various substantive categories deemed off-limits. These scams are equally noxious — directly taking users’ money under false pretenses. And Google’s relationship with these sites is particularly unsavory since Google directly and substantially profits from their practices, as detailed in the next section.

Even self-interest ought to push Google to do more here. Google may make an easy profit now by selling ads to scammers. But in the long run, rip-off ads discourage users from clicking on Google’s sponsored links — potentially undermining Google’s primary revenue source.

Who really profits from rip-off ads?

When users suffer from scams like those described above, users’ money goes to scammers, in the first instance. But each scammer must pay Google whenever a user clicks its ad. So Google profits from scammers’ activities. If the scammers ceased operations — voluntarily, or because Google cut off their traffic — Google’s short-run revenues would decrease.

Users
service fees
   Scammers   
advertising fees
Google
How Google Profits from Scammers

Consider the business model of rogue web sites “selling” software like Skype. They have one source of revenue — users buying these programs. Their expenses tend to be low: they provide no substantial customer service, and often they link to downloads hosted elsewhere to avoid even incurring bandwidth costs. It seems the main expense of such sites is advertising — with pay-per-click ads from Google by all indications a primary component. The diagram at right shows the basic money trail: From users to scam advertisers to Google. When users are ripped off by scammers, at least some of the payment flows through to Google.

How much of users’ payments goes to Google, rather than being retained by scammers? My academic economics research offers some insight. Recall that search engine ads are sold through a complicated multi-unit second-price auction: Each advertiser’s payment is determined by the bid of the price of the advertiser below him. Many equilibria are possible, but my recent paper with Michael Ostrovsky and Michael Schwarz offers one outcome we think is reasonable — an explicit formula for each advertiser’s equilibrium bid as a function of its value (per click) and of others’ bids. In subsequent simulations (article forthcoming), Schwarz and I will demonstrate the useful properties of this bidding rule — that it dominates most other strategies under very general conditions. So there’s good reason to think markets might actually end up in this equilibrium, or one close to it. If so, we need only know advertisers’ valuations (which we can simulate from an appropriate distribution) to compute market outcomes (like advertiser profits and search engine revenues).

One clear result of my recent bidding simulations: When advertisers have similar valuations (as these advertisers do), they tend to “bid away” their surpluses. That is, they bid almost as much as a click is worth to them — so they earn low profits, while search engines reap high revenues. When a user pays such an advertiser, it wouldn’t be surprising if the majority of that advertiser’s gross profit flowed through to Google.

A specific example helps clarify my result. Consider a user who pays $38 to Freedownloadhq.com for a “free” copy of Skype. But Freedownloadhq also received, say, 37 other clicks from 37 other users who left the site without making a purchase. Freedownloadhq therefore computes its valuation per click (its expected gross profit per incoming visitor) to be $1. The other 10 advertisers for “Skype” use a similar business model, yielding similar valuations. They bid against each other, rationally comparing the benefits off high traffic volume (if they bid high to get top placement at Google) against the resulting higher costs (hence lower profits). In equilibrium, simulations report, with 10 bidders and 20% standard deviation in valuations (relative to valuation levels), Google will get 71% of advertisers’ expected gross profit. So of the user’s $38, fully $27 flows to Google. Even if Freedownloadhq’s business includes some marginal costs (e.g. credit card processing fees), Google will still get the same proportion of gross profit.

One need not believe my simulation results, and all the economic reasoning behind them, in order to credit the underlying result: That when an auctioneer sells to bidders with similar valuations, the bidders tend to bid close together — giving the auctioneer high revenues, but leaving bidders with low profits. And the implications are striking: For every user who pays Freedownloadhq, much of the user’s money actually goes to Google.

In January I estimated that Google and Yahoo make $2 million per year on ads for “screensavers” that ultimately give users spyware. Add in all the other terms with dubious ads — all the ringtone ads, the for-free software downloads, ads making false statements of product origin, and various other scams — and I wouldn’t be surprised if the payments at issue total one to two orders of magnitude higher.

Towards a solution

Some of these practices have been improving. For example, six months ago almost all “ringtones” ads claimed to be “free,” but today some ringtones ads omit such claims (even while other ads still include these false statements).

Recent changes in Google pricing rules seem to discourage some of the advertisers who place ads of the sort set out above. Google has increased its pricing to certain advertisers, based on Google’s assessment of their “low quality user experience.” But the specific details of Google’s rules remain unknown. And plenty of scam ads — including all those set out above — have remained on Google’s site well after the most recent round of rule changes. (All ads shown above were received on September 15, 2006, or later.)

Google already has systems in place to enforce its Adwords Content Policy. My core suggestion for Google: Expand that policy to prevent these scams — for example, explicitly prohibiting ads that claim a product is “free” when it isn’t, and explicitly prohibiting charging users for software that’s actually free. Then monitor ads for words like “free” and “complimentary” that are particularly likely to be associated with violations. When a bad ad is found, disable it, and investigate other ads from that advertiser.

To track and present more dubious ads, I have developed a system whereby interested users can submit ads they consider misleading for the general reasons set out above. Submit an ad or view others’ submissions.

These problems generally affect other search engines too — Yahoo, MSN, and Ask.com, among others. But as the largest search engine, and as a self-proclaimed leader on ethics issues, I look to Google first and foremost for leadership and improvement.

Google’s (Non-)Response

When Information Week requested a comment from Google as to the ads I reported, Google responded as follows:

When we become aware of deceptive ads, we take them down. … We will review the ads referenced in this report, and remove them if they do not adhere to our guidelines.

A week later, these ads remain available. So Google must have concluded that these ads are not deceptive (or else Google would have “take[n] them down” as its first sentence promised). And Google must have concluded that these ads do adhere to applicable Google policies, or else Google would have “remove[d] them” (per its second sentence).

Google’s inaction exactly confirms my allegation: That Google’s ad policies are inadequate to protect users from outright scams, even when these scams are specifically brought to Google’s attention.

All identifications and characterizations have been made to the best of my ability. Any errors or alleged errors may be brought to my attention by email.

I thank Rebecca Tushnet for helpful discussions on the legal duties of advertisers and search engines.

StatCounter - Free Web Tracker and Counter

Originally posted October 9, 2006. Last Updated: October 16, 2006.

PPC Ads, Misleading and Worse

Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges. For example, the ad at right claims to offer “100% complimentary” and “free” ringtones, when actually the site promotes a services that costs approximately $120 per year.

 


An example misleading ad, falsely claiming ringtones are An example misleading ad, falsely claiming ringtones are “complimentary” when they actualy carry a monthly fee.

In today’s article, I show more than 30 different advertisers’ ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word “free”), or that make claims that are simply false. I then analyze the legal and ethical principles that might require search engines to remove these ads. Finally, I offer a mechanism for interested users to submit other false or deceptive ads they find.

Details:

False and Deceptive Pay-Per-Click Ads

Services for Advertisers – Avoiding Waste and Improving Accountability

In the course of my research on spyware/adware, typosquatting, popups, and other controversial online practices, I have developed the ability to identify practices that overcharge online advertisers. I report my observations to select advertisers and top networks in order to assist them in improving the cost-effectiveness of their advertising including by flagging improper ad placements, rejecting unjustified charges, and avoiding untrustworthy partners. This page summarizes the kinds of practices I uncover and presents representative examples drawn from my publications.

For Display Advertisers and Display Networks

In work for display advertisers and display networks, I catch and report the following problems:

For Affiliate Advertisers and Affiliate Networks

In work for affiliate advertisers and affiliate networks, I catch and report the following problems:

Information and Incentives in Online Affiliate Marketing analyzes patterns in merchants’ vulnerabilities and effective defenses.

For Advertisers in Comparison Shopping Engines

In work for comparison shopping engines (CSEs) and their advertisers, I catch and report the following problems:

  • Advertisements loaded, and clicks recorded and billed for, without a user seeing the advertisement link or clicking on it. (CSE click fraud)
  • CSE advertisements presented in adware including injections, popups, sliders, and toasts.

Methods

I catch infractions using multiple “crawler” PCs which operate 24 hours per day, continuously checking for improper advertising placements. These crawlers run from multiple locations in the US, along with systems to detect behaviors targeting users outside the US. Some of my reports draw on large-scale automation developed in partnership with Wesley Brandi. I supplement automatic observations with manual testing using methods I have refined over more than a decade.

Each of my reports includes a packet log presenting the specific methods and identifiers (ad tags, affiliate IDs, etc.) associated with the infraction. Where an incident includes notable on-screen appearances (e.g. a popup), I typically include a screen-capture video or screenshot image showing occurrences as they appear to users. Each report includes a customized explanatory memorandum.

Please contact me to learn more about my reports.

Last updated: May 21, 2016

Search Engine Safety, Revisited

This article uses data from SiteAdvisor, a company to which I serve as an advisor.

In January I bemoaned the sorry state of search engine results for "screensavers." I pointed out that most "screensavers" ads lead to sites I can’t recommend, and I criticized search engines for their failure to enforce higher standards. But this problem goes well beyond that single keyword and that single genre of sites.

Today SiteAdvisor’s Hannah Rosenbaum and I released The Safety of Internet Search Engines. We obtain top search engine keywords from authoritative sources like Google Zeitgeist. We extract top organic and sponsored search engine results for those keywords. Then we evaluate site safety, using SiteAdvisor’s assessments of spyware, spam, scams, and other Internet menaces.

A representative Google ad -- asking users to pay for software widely available elsewhere for free.SiteAdvisor markup of search results, flagging a representative Google ad — asking users to pay for software widely available elsewhere for free.

Our most notable result? Search engine ads are a risky business. Overall, across all keywords and search engines, 8.5% of sponsored results were "red" or "yellow" by SiteAdvisor’s standards, versus only 3.1% of organic results. It’s not unusual to see ads for notorious spyware vendors like Direct Revenue (as documented in my January piece); for sites that charge for software available elsewhere for free (like the ad shown at right, trying to charge $29 for Skype’s free phone); and for spammers that send hundreds of mesages per week, if a user enters a single email address. These scams deceive and harm search engine users, and I’d like to see Google update its advertising editorial guidelines to prohibit such practices — then enforce these rules with appropriate diligence.

Our article includes an abundance of data. I particularly enjoy this chart of Google site safety by individual keyword — showing "free screensavers" as our single most dangerous search, with other notorious searches including "bearshare," "free music downloads," "winzip," and "kazaa." See also our charts of specific red and yellow sites found within search results.

The full article:

The Safety of Internet Search Engines

Direct Revenue’s Dirty Documents

On Tuesday, the New York Attorney General filed suit against notorious spyware vendor Direct Revenue. In a detailed complaint, the NYAG alleged Direct Revenue surreptitiously installed spyware onto users’ computers and made its spyware exceptionally difficult to remove. The suit includes claims under New York’s General Business Law (prohibiting false advertising and deceptive business practices), New York’s Penal Law (prohibiting computer tampering), and New York’s common law prohibitions against trespass.

The NYAG’s complaint was accompanied by more than a thousand pages of exhibits and appendices. Some of these documents present the results of NYAG’s testing — narratives of misleading and nonconsensual installation, not unlike my own installation tests. But the NYAG also produced a treasure trove of documents: Internal Direct Revenue documents, records, and emails that present their strategy, intentions, and plans in great detail.

I have obtained these additional documents and posted them to a new page:

People of the State of New York v. Direct Revenue, LLC – Documents and Analysis

Some documents and findings of particular interest:

  • Revenues reported at $6.9 million in 2003, $39 million in 2004, $33 million in January-October 2005. 2004 expenses total only $13 million, for a profit margin of 66%.
  • Payments to Direct Revenue’s senior staff, totaling more than $27 million.
  • A list of distributors of Direct Revenue’s spyware, with the number of installations attributable to each.
  • Admission that Direct Revenue for a time sold a “majority” of its advertising through ad networks Traffic Marketplace and ValueClick.
  • Admission that Direct Revenue’s ads appear so frequently that they constitute “user abuse.” But reducing ad frequency lowers company revenues, so frequency stays high.
  • Admission that Direct Revenue previously tracked and transmited users’ GET and POST data — names, addresses, emails — and even sent this data to third parties Hitwise and Compete.com. Itemizes the specific personal information collected from online forms: first name, last name, e-mail address, street address, and zip code. Hitwise reports successfully analyzing and matching users’ IDs, genders, and phone numbers.
  • Instructs making Direct Revenue harder to remove, by deleting its entry from Control Panel’s Add/Remove Programs, because too many users were relying on that method to remove Direct Revenue.
  • Report of April-June 2005 payments from Yahoo, totaling more than $600,000 in those three months alone.
  • Installation by Direct Revenue of Ebates’ Moe Money Maker onto users’ computers.
  • Listing of Direct Revenue’s many names and shell companies, all used to confuse and deceive the public.
  • Complaints from Direct Revenue partners, such as Kazaa (which called Direct Revenue’s ads “purposefully confusing to the user”) and Integrated Search (which wanted Direct Revenue to include an uninstaller in Control Panel, as previously promised)
  • Threatening the Center for Democracy and Technology. Demanding revisions from CNET. Hiring an investigator to track anti-spyware researcher Webhelper, and planning tactics to intimidate him.
  • Claims I am “losing credibility in the industry” and calls me a “fanatic.”
  • Endorses NYAG’s suit against Intermix as an “important opportunity to draw a bright line between purveyors of spyware and legitimate behavioral marketing companies like Direct Revenue.”
  • Scores of complaints from users (1, 2, 3 , 4, 5, 6, 7, 8, 9) Direct Revenue staff call one complaining user an “idiot.”
  • Complaints from Direct Revenue’s investors get special handling. One investor worries that another member of his investment firm, former Secretary of the Treasury Bob Rubin, may learn of Direct Revenue’s practices.
  • Reports daily revenue per user at approximately $0.015 (one and one half cents per user per day). (Compare that revenue with the harm caused to users — the amount a typical user would be willing to pay not to have Direct Revenue installed.)

See also others’ analysis of the documents.

I still have a few more documents to post, and I’ll be uploading them later today.