Pushing Spyware through Search

This article uses data from SiteAdvisor, a company to which I serve as an advisor.

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

Now, we all love Google. I use Google’s search site all day every day, and I enjoy their downloadable applications too. So I have the greatest respect for Google’s core service. But there’s another side to their business. Indirectly, Google and other search engines make big money from spyware, through paid search advertising that infects users who don’t know any better or don’t understand what they’re getting into.

Consider a Google search for “screensavers”:

Risky Entries in 'Screensavers' Search Results

The colored icons next to search results were inserted not by Google, but by the SiteAdvisor client application, based on the results of SiteAdvisor’s automated tests for each listed site. Six of Google’s ten sponsored links get “red” or “yellow” ratings — generally indicating unwanted advertising through spyware or, in some instances, high-volume commercial email. But without SiteAdvisor (or some similar protection), users would have no idea which sites were safe; they’d be at great risk of clicking through to an unsafe site, ultimately risking installation of unwanted software.

Screensaver Advertisers’ Business Model

Google surrounds its “screensavers” search results with ten ads selected from interested Google advertisers. Whenever I see a company buying an ad (online or offline) for a “free” product, I ask myself: How do they make money? With few exceptions, companies only buy online advertising when they expect to get something directly in return. (There are exceptions — dot-com bubble “eyeball” purchases, Fortune 500 “brand building,” perhaps some free ads offered by the Google Foundation.) But in the case of these screensaver providers, they’re almost certainly making money somehow if they can afford to pay Google’s high pay-per-click prices.

So how do Google’s screensaver advertisers make money? Most of Google’s screensaver advertisers really do offer screensavers that are “free” in the sense that users need not provide a credit card number. But they’re not free in the sense of being available without substantial adverse effects. Quite the contrary: Users must put up with various forms of intrusive advertising.

Let’s look at funscreenz.com, a top-ten Google advertiser for “screensavers.”

"Funscreenz installation page

Funscreenz.com is owned by BestOffersNetwork, which is another name for notorious “adware” company Direct Revenue. Recall Direct Revenue’s Newsweek profile – plenty of users (and multiple lawsuits) alleging that their software installs improperly and, in many cases, without consent. I’ve previously documented Direct Revenue installed in tricky popups, via false claims of purportedly-required add-ons, and through exploits without any consent at all.

Of course Funscreenz is not alone. Also in top “screensavers” Google results are ads for Claria, Ask Jeeves, and various adware bundlers (who distribute changing or multiple advertising programs). One top Google “screensaver” advertiser sends 15+ emails per week to those who provide an email address to get a screensaver. Results at Yahoo and MSN are similar.

Estimating Search Engine Revenues from Spyware Infections

Every time a user clicks through a search engine ad, the search engine gets paid. Google doesn’t ordinarily say how much advertisers pay. But Yahoo (which does) charges about $0.25 for a “screensavers” click. Let’s do some math. Of the users who click through to screensavers.com, suppose 10% actually download a screensaver – a conversion rate most web sites would celebrate. Then screensavers.com needs to earn $2.50 per download ($0.25/10%) just to break even. That’s a lot of money per download. But they’re buying the ads anyway, and they’re savvy decision-makers. So we can deduce that this site grosses at least $2.50 per download.

How much money do search engines make from these ads? Some initial back-of-the-envelope estimates: According to Yahoo’s keyword inventory tool, “screensaver” (and its hundred most common variants) received about 2.3 million searches in December 2005. Suppose 20% of those searchers clicked on paid links. (That’s conservative, since ads fill more than half of typical users’ screens.) As estimated above, suppose Yahoo collects $0.25 per paid click. Then Yahoo made about $115,000 in December 2005 from “screensaver” and variants. Throw in Google, with its bigger market share, and “screensaver” likely yields about $250,000 of revenue per month.

Of course, not all “screensaver” ads ultimately yield spyware. But from SiteAdvisor’s tests, it seems at least 60% push spyware, spam, or similar unwanted materials. So Google and Yahoo’s “dirty” revenue, from dubious screensavers ads, is probably about $150,000 per month.

But “screensaver” is only one of many terms that commonly leads to spyware and adware. I’ll look at other risky keywords in future articles, as I try to measure the prevalence of this problem in greater detail. Reviewing traffic data from Yahoo’s inventory tool, I’m confident that similarly-affected keywords total at least fifteen times the traffic to “screensavers.” Then Google and Yahoo make about $2.2 million per month, or $26 million per year, through this spyware-pushing advertising. That may not be big money to them, but to my eye it’s a lot.

Clearly there are quite a few estimates here. Send email for methodological improvements and alternative data sources.

Closing Thoughts

As with so many great Internet inventions, the bad guys have stormed the gates of search engines. Now is the time to start fighting back. That doesn’t mean search engines should blacklist every company I ever criticize, but some “adware” vendors are so shady that search engines could proudly refuse their money. Responsibility starts at home. More on search engines’ possible strategies in a future article.

Past work on search engines funding spyware: Yahoo ads syndicated into spyware, Google ads shown through spyware-delivered popups and other vendors’ improperly-installed toolbars.

What Passes for “Consent” at 180solutions

180solutions today announced its plan to show its users “notification” popups describing some of 180’s practices — thereby, in 180’s view, obtaining users’ “informed consent.” In principle, a re-opt-in might let 180 obtain users’ consent even where initial installations had somehow failed to do so. But 180’s notification message is so flawed and so duplicitous that it can’t offer the legitimacy 180 purportedly seeks. For one, 180’s notification screen makes numerous false statements. Also, 180’s notification is presented in a way that fails to obtain any notion of “consent.” Meanwhile, even 180’s new installs don’t obtain meaningful informed consent.

A Close Look at 180’s “Notifications”


180 Notification Screenshot180 Notification Screenshot

A reporter yesterday sent me a screenshot of 180’s planned notification. I see at least seven problems with the screen’s text:

1. 180’s notification screen fails to affirmatively state what 180 does — its popups or its privacy effects. 180’s first two sentences disclose that something called “180search Assistant” is installed, and that it will show “ads.” But nowhere does 180 disclose that the ads appear in popups — an advertising format known to be particularly objectionable, and therefore particularly important to bring to users’ attention if users are to offer genuine consent. In addition, nowhere does 180 disclose the important privacy effects of installing 180 software — that 180 will track what web sites users visit, and send much of this information to its servers. The importance of these omissions can’t be overstated: If 180 fails to disclose what users are purportedly accepting, no valid “consent” can result.

2. 180 claims to “giv[e] you free access to search tools, software and entertainment sites.” This claim is false, in that for many users 180 provides no such thing. Consider a user who receives 180 software without notice or consent. 180 might allow access to special entertainment sites that are otherwise unavailable. But this ability is of no benefit if users don’t know they have 180, didn’t ask for 180, aren’t told what special sites they can access, and in any event don’t want to access such sites.

3. 180 claims to show “approximately 2-3 highly targeted ads per day.” This claim is false, in that many users will receive many more ads per day. Perhaps an average user gets only a few ads per day, when averaging includes all the users who don’t use their PCs on many days, or who don’t use their web browsers. But in even limited web browsing, I consistently receive far more than three 180 ads per day.

4. 180 inexplicably claims that “user consent is required before 180search Assistant can be installed.” This claim is absolutely false. 180 is often installed without any consent at all. See videos on my site (1, 2, 3) (dozens more on file). 180’s own staff have repeatedly admitted that nonconsensual installations occur (1, 2, 3, 4). After these many admissions, I don’t understand how 180 can now argue that users have “consent[ed]” to its installation. Indeed, the entire premise of 180’s re-notification program is to make up for prior nonconsensual installations!

5. 180 claims that “all 180search Assistant ads are labeled…” This is false. As 180 staff have previously admitted, advertisements with redirects erase 180’s ad labeling.

6. 180 claims that “the user must be 18 or over to download.” Again, false. In fact, 180 software is widely offered on kids sites, where users are unlikely to be over 18. (Example.) Some 180’s installations mention a requirement of user age, but this provision is typically exceptionally hard to find. For example, in one screensaver I tested today, the user-age provision was on page 18 of 180’s license, in the next-to-last paragraph, captioned “Miscellaneous.” (Screenshot.)

7. 180 concludes by claiming that “You can easily remove the 180search Assistant … using ‘Add or Remove Programs'” False. The removal isn’t “easy,” for at least two reasons.

i. Finding 180 is surprisingly difficult. 180 often places its entry in tricky locations within the alphabetical Add/Remove listing — like under “U” for “Uninstall 180search Assistant,” rather than a more natural “1” for “180search Assistant.” Users cannot reasonably be expected to look under “U” in search of 180’s entry. On a new PC with a short Add/Remove list, users will still typically find 180’s entry. But on a long and crowded Add/Remove list, on a typical heavily-used PC, it’s anything but “easy” to find 180.

ii. 180 discourages removals using various false and misleading statements. See my prior analysis, finding numerous dubious claims in 180’s uninstall procedure, as well as confusing window design that further discourages removal. For example, 180 falsely claims that removing its software “will disable any Zango-based applications” — even when no such applications have been installed.

Combining these factors, 180’s uninstall procedure is not properly characterized as “easy.” 180 does know how to make “easy” procedures: When 180’s software is installed with one click (or even with zero!), the procedure is remarkably simple. But 180 has taken affirmative steps to make removal harder.

Problems with 180’s Notification Procedure: Failing to Request or Obtain Consent

180’s press release claims that its new notification screens will “ensure each user … has provided informed consent.” I disagree. As I look at 180’s notification text, 180’s notification actually won’t obtain any consent at all.

As a threshold matter, 180’s notifications apparently will be shown in ordinary Internet Explorer popup windows. Seeing these popups, typical users will seek to close them as quickly as possible — finding them irrelevant, unwanted, and annoying. The ordinary IE presentation format is not conducive to obtaining consent. It’s certainly not well-equipped to get the “informed consent” 180 purports to seek.

Most seriously, 180’s notification text does not seek or require any manifestation of user agreement or approval. In fact, 180’s screen doesn’t say anything about consent: It doesn’t require users to click a button to indicate acceptance of 180’s terms; it doesn’t require users to click a button to keep 180 software on their PCs. Rather, 180’s software stays installed unless users figure out how to remove it. Failure to remove 180’s software certainly can’t be claimed to constitute “consent” to keep it installed. So where’s the “consent” in 180’s notifications?

If 180 really wants informed consent, it could do a lot better. Rather than write its notification screens in marketing-speak, full of euphemisms and half-truths, 180 could write its notification in the formal and calm language used in disclosures elsewhere. I’ll even give 180 a few free sentences. First, 180 should accurately describe its software:

“Your computer is running 180solutions advertising software. 180 will track what web sites you visit, and 180 will show you pop-up ads accordingly. On average, users receive several ads per day, but you may receive more or fewer, depending on how often you use your web browser and depending on what web sites you visit.”

180 would accompany this text with an image showing a representative pop-up ad.

Next, 180 would proceed to explain how its software got installed, and what users can do to keep it or to remove it:

“180 software may have been installed on your computer with your consent or with consent of another user of your computer. 180 may have become installed without consent. You may elect to keep 180 software on your PC, or you may choose to remove it without penalty.”

Finally, 180 would include a one-click button to uninstall its software immediately, along with another button that indicates users’ consent to keep 180 installed.

If 180 included notice of this form — unbiased truthful sentences, that fairly and frankly disclose 180’s true effects — users might be able to make an informed decision to keep 180’s software. But where 180’s “disclosure” is loaded with euphemisms and falsehoods, offering only a convoluted uninstall procedure, it’s hard to say 180 has obtained “informed consent.”

180’s New Installation Stubs: Half-Truths and Omissions

180’s press release claims that its new “technology enhancements” will make it “harder” for 180 software to be installed “covert[ly].” Perhaps. But what happened to the standard of “informed consent” (so prominent earlier in 180’s press release)? 180’s change in wording — from “informed consent” to avoiding “covert” installations — may be surprisingly important. I agree that 180’s new installation procedure isn’t covert. But neither does it yield informed consent.

180 stub installer - initial screen - failing to mention that 180's ads are pop-ups, failing to mention privacy effects 180 Stub Installer – Main Screen

180 installer screen covers license agreementInstaller Covers & Obscures License Agreement

180 installer -- second screen if  users initially decline.  Pressing "Resume" causes installation to proceed immediately, without any further opportunity to review 180's license or to decline installation. Secondary Installer Screen – If User Initially Declines

My understanding is that the “enhancement” at issue is a stub installer like that shown at right. 180’s distribution partners currently distribute a full copy of 180 software. But in the future, apparently they’ll only distribute a stub. Currently, 180’s partners are asked to obtain consumer consent for the installation of 180 software; under the new approach, 180 itself will obtain consent. If properly implemented, this approach might prevent many wrongful installations. Unfortunately, I’ve seen little sign that 180 has designed this system in a way that obtains meaningful consent.

Last week I was testing a security hole exploit which installed more than a dozen programs on my test PC without any notice or consent. Among the unrequested screens appearing on my test PC was the image shown at right (top). This first screen apparently seeks my consent to install 180 — but like the 180 notification described in the preceding sections, nowhere does this screen explain 180’s relevant characteristics and effects. The screen mentions “180search Assistant” and “2-3 advertiser referrals” — but nowhere does it mention that 180’s “referrals” are actually pop-up ads. The screen says that referrals will be “based … on … websites you visit,” but it fails to disclose that website visit data will also be sent to 180’s servers. So the screen fails to mention the relevant facts users need to know in order to grant informed consent.

180’s stub installer does mention an external license, available via a blue link from within the stub. I clicked the link and received the image shown in the second screen at right. Notice the web browser showing 180’s license — in a small window, requiring eight screens to view in full. Worse, although I had clicked the “Terms and Conditions” link to request the license, 180’s large stub installer still largely covered the license. It was extraordinarily hard to read the license, even when I maximized the license to fill the rest of the screen, because roughly half of each line of text was covered by the stub window. (Notice that the license window is “active” (blue title bar highlighting) while the stub “Setup” window is “inactive” (grey).) This is not a one-time fluke; to the contrary, the stub consistently remains on top of the license (and all other windows), contrary to Windows standards. Savvy users may realize they can move the stub out of the way by dragging its title bar. But the ordinary windows Minimize button is missing from the stub’s window, eliminating the easiest way to hide that screen.

On one test PC, I pressed “Finish” in the stub, and 180 installed immediately.

On another test PC, I mimicked the choice of a user who didn’t want 180. I pressed “Cancel” in the stub, and I was then shown the third screen at right. This window claims that “without [180], [a user] may lose access to free games, music, toolbars, and other downloads.” This statement may be accurate as to some installations, but in the security exploit I received last week, I had requested no games, music, toolbars, or other download — so there could be no loss of access in the way the dialog box claimed. This statement was therefore false, as applied to me.

Consider a user who presses “Cancel” in the first screen, but then decides to give 180 a second chance on the strength of the second dialog. When the user presses “Resume” in the second box, the user has not yet accepted 180’s license agreement — probably failing to read it initially (since the user decided to press Cancel, not wanting 180) and certainly failing to accept it. Nonetheless, 180 immediately installs, without offering any further opportunity for a user to access the license or to decline installation. So in 180’s view, the “Resume” button in the second box actually means “I accept the license linked from the prior box but not available on this screen.” That’s a tall order — certainly not what the box plainly says, or what typical users will expect to occur if they press Resume.

Here too, 180 could do much better. 180 could provide a clear description of its effects, using ordinary terms (“pop-up ads”) users can readily understand. 180 could present its installation request with appropriate branding — colors, logo, font, and other characteristics that match 180’s other marketing material. 180 could present its license in a way users can readily read. And 180 could refuse to install when user consent is at best ambiguous (“resume”).

180 is promoting this “stub” installation procedure as a solution to nonconsensual installs. If all 180’s distributors switch to this new installation method, perhaps fewer distributors will be able to infect users in complete silence. But the stub’s tricky text and poor disclosures mean users will still receive 180 software without being fairly told what it is and what it will do to their computers. That’s a far cry from the “informed consent” 180’s press release promises.

Telling the Truth about Installation Tactics

Installation practices occupied center stage at last week’s CNET Download.com‘s anti-spyware conference. Many of the companies whose installation practices I’ve criticized attempted to defend those practices or deflect attention from them. But their explanations and excuses don’t stand up to critical examination.

Does Claria Target Kids? Take Two…

At the CNET conference, I showed my slides of Claria’s misleading ads on kids sites. The audience seemed to think the slides are pretty damning: Claria shows an ad that looks like a Windows dialog box, though it’s not; Claria offers a clock-synchronizing program (which Windows XP users don’t need); Claria installs software with just two clicks; and Claria doesn’t show a license until after the user accepts the installation. All this, on sites targeted at kids — sites with privacy policies that say so, in case the cartoon graphics, simple language, and underlying content (often cartoon video games) weren’t clear enough.

Claria’s CEO, Jeff McFadden, responded in part by claiming that the Ezone site (the example I focused on) isn’t really targeted at kids:

“… There’s a second thing that was mentioned, that this is a kids site. I’m not sure what homework was done on this, because there’s an IDC report that says that online gaming sites, the average age of people who visit those sites is 29. I don’t know if anyone has done a demographic study of this particular site. I was shocked to find that even the Neopets web site that my daughters at home use quite frequently has a very large constituency of housewives that use the site. So we do not ‘target’ kids sites. … ”

conference archive, session 2 recording (MP3), from 1:05:00 to 1:12:38 (excerpt – WindowsMedia), in response to my question at 55:50 to 57:50 (excerpt). See also panelists’ responses at 57:50 to 1:05:00 (excerpt).

IDC may be right that the average age of gaming site visitors is 29. But I doubt demographics are similar at cartoon video game sites like Ezone. With titles like “Beetle Junior” and “Turtle Bay,” it’s hard to think the sites could retain a major adult audience.

What would it take to convince Jeff that the Ezone site really does cater to kids, and that it isn’t an appropriate place to solicit new installations of Claria’s advertising software? Last month I posted several other examples of Claria ads on (what I claim to be) kids sites — not just Ezone, but also a site called Fingertime Games (“lunar mouse house,” “junk food jack” and other games). Today I’m adding one more, which I think is even more clearly targeted at kids. For starters, the site is called Kidzpage — its very name a play on “kids.” Its title bar and “welcome” text both say it’s “for children.” Its advertisement pitch specifically says it’s “for kids and adults … family and students … school-aged children along with the ‘grown-ups’ who supervise them.” It’s linked from Yahooligans (Yahoo for kids). Can anyone seriously dispute that users obtained at such a site will include kids who didn’t know what they were getting, and who couldn’t reasonably consent?

A Claria ad within a site catering to kids.  Note cartoon-style graphics and lettering.  Note "for children" within title bar.

Beyond targeting kids, there’s plenty more wrong with this Claria installation method. See my earlier write-up for discussion of fake-user-interface, unneeded programs, and failure to show a license until after installation occurs. See also Eric Howes‘s Adware Installations of 2005, showing other Claria installations with similar shortcomings.

Ask Jeeves’ Problems: Non-consensual Installations, Semi-consensual Installations

Installation practices seem to be a question that IAC CEO Barry Diller doesn’t fully understand, or at least doesn’t care to talk about. In an earnings call last week, he said AJ “doesn’t have an issue with either spyware or adware.” But more than denying that AJ faces exposure here, Diller didn’t even want to discuss the matter. He continued: “It is an issue, obviously, but it is not our issue. And that’s that. Next question, please?”

Diller is right that the AJ toolbars aren’t either spyware or adware (as I use the terms). After all, the AJ toolbar doesn’t obviously collect much information about what users do (though I don’t fully understand all of AJ’s transmissions). And the AJ toolbar doesn’t show the annoying pop-ups common to most “adware.” (That said, AJ’s toolbar leads users to web pages with lots of PPC ads syndicated from Google. So if some AJ installations are wrongful, remember that Google revenues are ultimately funding AJ’s activities. Google staff tell me they’re “looking into it.”)

But Diller is wrong to so quickly conclude AJ has no problem here, merely because AJ doesn’t make spyware or adware. If AJ software is becoming installed through security holes w/ no notice or consent (it is), and if AJ is offering payments to those who perform these wrongful installations, AJ has a problem no matter how praiseworthy AJ’s software may be. Similarly, if AJ is installing without showing or even referencing a license, while using euphemisms that fail to properly disclose even the most general effects of the programs to be installed (again all true), AJ has a lot to improve. Same if the AJ license agreement is buried at page 48 of a license agreement users aren’t even shown unless they specifically request it (see Kazaa installer).

The basic legal theory — clearly articulated in the NYAG’s complaint against Intermix — is that users ought to control what software runs on their computers. So installations are only proper when they occur with user consent, after clear and straightforward disclosures. Omit the disclosures, or phrase them so euphemistically that users can’t reasonably understand, then the software installation becomes a trespass.

I don’t always agree with Marquette professor Eric Goldman. (In particular, I can’t agree with his calls for narrow liability for actions of distributors and advertisers. This seems like a recipe for unaccountability and for rewarding bad actors. Eric’s approach would encourage “adware” vendors to look the other way when their software is installed wrongfully, and would give a free pass to those who advertise through software installed improperly.) But interestingly Eric and I seem to see AJ the same way — the key question being whether AJ’s installation disclosure and consent is up to par.

180solutions Continues to Become Installed Without Any Consent At All

Representatives from 180solutions made the sensible decision not to claim, within the official CNET conference sessions, that their programs install only with consent. After all, I had screenshots and videos providing the contrary.

But in a video interview made mere minutes before, 180solutions COO Daniel Todd told Dow Jones Marketwatch that “180solutions does not install software on people’s computers without consent.” Only upon further pressing by the interviewer does Todd back-peddle, admitting that some 180 distributors install 180 software with “no consent” or without (what Todd considers) adequate consent.

So Todd admits that some 180 installs are nonconsensual. Yet 180’s web site continues to claim that its software is “permission based” and “only downloaded with user consent.”

Which one is right? My November and March videos show nonconsensual 180 installations in great detail. (I’ll post still more videos in the coming weeks, as to 180 as well as Direct Revenue, eXact Advertising, and many others.) So Todd’s ultimate admission is accurate. Not so for the “only … with … consent” promises on 180’s web site.

Todd later stated that 180 has 7,000 to 10,000 distributors. That’s a huge number — it underscores the practical difficulty of 180 performing meaningful oversight of what its distributors are doing. With so many installation “partners” and so little enforcement or quality control, 180 has created a monster. Who’s going to fix it, and when?

Direct Revenue Commission Skimming

In my final visit to the CNET Q&A microphone, I mentioned Direct Revenue “skimming off the top” — invoking affiliate commission links to claim commissions on purchases users were already making. I previously documented this same behavior by 180solutions — finding it surprisingly widespread, yet reportedly an easy way to make money. (Last year 180 told MSNBC that it made more than $100,000 from Dell in just one month in late 2003.)

Direct Revenue’s commission-skimming was relatively easy to spot — with telltale signs in users’ cookies folders, not to mention noticeable popunders and, as usual, clear records in packet sniffers. So I was pleased to learn that affiliate network Commission Junction has already noticed this scam and, reportedly, taken action. So perhaps there’s less need for me to post the various videos, screenshots, packet logs, and other proof I’ve been accumulating. Instead, I’ll soon be focusing on reporting DR advertisers — some shocking examples, like American Express ads continuing to target kids sites.

Misleading Installations of the Week: PacerD, and Claria’s Dope Wars

It’s Monday morning, so time for more misleading installations. Just like last week, I couldn’t stop at only a single example; again I’m providing two.

PacerD’s misleading pop-ups ask users to “please click yes” to accept “free browser enhancements.” In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD’s mislabeled (apparent, purported) license agreement, which in turn is only shown at a user’s specific request. But click “Yes” once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

The PacerD Installation Bundle

As usual, Claria’s approach is somewhat more subtle. When Claria bundles its advertising software with the “Dope Wars” video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few “Dope Wars” players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they’ll do so without first understanding what Claria will do to their PCs.

Claria’s Misleading Installation Methods – Dope Wars

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria’s interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users’ computers into advertising channels — tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

Misleading Installations of the Week: Claria and 180 at Kids Sites

“Adware” companies say their businesses are predicated on user consent. (Claria: “… consumers who agree … “; 180: “permission-based … opt-in”). Notwithstanding, companies’ claims, there’s no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don’t understand what they’re getting — due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they “accepted” these programs.

Ezone.com, a site targeting children, that nonetheless promotes 180solutions.Can we say that a user “consents” to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If “authorizing” the installation required only that the user click on an ad, then click “Yes” once? If the program’s license agreement was shown to the user only after the user pressed “Yes”? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Details: Claria’s Misleading Installation Methods – Ezone.com

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently described as removing advertisements? Where the installation description uses euphemisms like “show … sponsor websites” but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Details: 180solutions’s Misleading Installation Methods – Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I’m not inclined to say that consumers “consent” to the resulting ads and to the resulting transmission of personal information.

New Series on Spyware Installation Methods

So-called “adware” companies say nonconsensual installations of their programs are just an “urban legend.” (See section 7 of 180’s claims in a recent interview.) But when I talk to users whose computers have become infected, I’m consistently told that they don’t know how they got the unwanted programs, and they say they certainly didn’t consent. How can we understand this divergence? How are users PCs receiving this unwanted software?

My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users’ computers. Some installations rely on tricking users — for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want — sometimes telling users what they’re getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits — without any user consent at all, thanks to defects in users’ web browsers or other software. (See the security hole video and write-up I posted last fall.)

There’s lots to be done in documenting how unwanted software gets onto users’ PCs. My Installation Methods page indexes my work to date, to the extent it’s posted online. But I have much more documentation still to be posted — for example, scores more videos showing security exploits. I’ll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I’m still looking! Send suggestions.)


Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.  Even diligent users ultimately have no way to know in advance what 3D will install on their PCs.Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs.

Today I’m also starting what I intend to be a series of weekly updates to my site — tentatively entitled “misleading installation of the week.” Sometimes I’ll show massive security hole exploits that render users’ computers nearly useless, but sometimes I’ll post more “ordinary” infections that “merely” show extra ads or send users’ browsing habits to a remote server. At every turn I’ll emphasize the trickery common to most installation methods — the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to “accept” software that offers them little or no genuine benefit.

I’m starting this series with an analysis of software from 3D Desktop. 3D’s Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what’s included, users must puzzle through a dizzying array of licenses — scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don’t track users’ behavior, but my hands-on testing proves otherwise. Details:

3D Desktop’s Misleading Installation Methods

Interestingly, BlazeFind’s license mentions that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to “clean up” its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.

How Google’s Blogspot Helps Spread Unwanted Software

Google claims to be on the right side of the spyware problem. Its May 2004 Software Principles set out lofty (if somewhat vague) standards for installation notice consent. Its Google Toolbar installer gives impeccable disclosure and obtains true, meaningful, informed consent. (See page 7 of my FTC Comments (PDF).) And Google is a victim of spyware: I’ve tested and studied a number of programs that add bogus search results and advertisements to Google.com results, tarnishing Google’s brand and siphoning advertising revenues that would otherwise accrue to Google.

Yet Google is far from blameless in the spyware battle. Of particular concern: Numerous blogs hosted at Google’s Blogspot service contain JavaScript that tries to trick users into installing unneeded software. At one such blog, users are offered a misleading popup that falsely claims "You have an out of date browser which can cause you to get infected with viruses, spam, and spyware. To prevent this, press YES now." If a user declines, the user is shown a second popup instructing "Click Yes to upgrade," followed by the first popup again. If the user declines a second time, a further popup claims "We strongly recommend you upgrade … Click YES Now!" See screenshots below.

A misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page.

If a user presses yes, the user receives certain extra software, often including software that many users would call spyware. The screenshots above show an attempted installation of Elitetoolbar. I have also observed similar popups attempting to install software from Crazywinnings (repeatedly falsely claiming "you have to click yes to continue" if users initially decline the installation) and from Direct Revenue. See a video of the repeated Crazywinnings installation attempts. See also additional screenshots (1, 2, 3, 4) of other software installations and/or other infected Blogspot pages.

Who’s Responsible, and Who’s Able to Stop This Mess?

The popups at issue come from a service called iWebTunes.com. iWebTunes recruits blog authors by giving them music to add to their blogs or other web sites. But as users view the resulting blogs, iWebTunes shows software installation popups to attempt to foist extra programs onto users’ computers. These programs likely pay iWebTunes a commission for each resulting installation.

Users have reported unwanted software offered by Blogspot sites since at least September 2004. See a September 15, 2004 blog post complaining of spyware received from iWebTunes. I reported these problems to Google staff last week, including a specific example of an infected site. But so far Google has taken no action to stop the misleading popups on this site or others. A recent Blogspot tech support response admitted the problem, at least generally, but offered no specific approcah or timetable for resolution.

What should Google do? Google already disallows JavaScript within Blogspot.com posts. (Screenshot.) Apparently Google considers embedded JavaScript too risky — too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed. Disallow the JavaScript interface by which iWebTunes gets added to Blogspot pages, so Blogspot pages can no longer trigger misleading JavaScript and ActiveX popups from iWebTunes or elsewhere. Of course some JavaScript code is entirely harmless — like the scripts that embed Google AdSense ads, comments, or polls. But Google should hesitate to permit JavaScript from unknown or known-hostile sources.

So Google is in a natural position to stop this problem. But it’s not the only company that could take action here. As I pointed out earlier this month, VeriSign plays a key role in authorizing ActiveX security warnings like that shown above: The misleading popups are only shown if they carry valid digital certificates, and VeriSign is the primary issuer of such certificates. VeriSign’s existing rules disallow using VeriSign-issued certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” I consider the programs above to be harmful for their addition of unwanted software including toolbars, silent auto-updaters, and systems that track and transmit certain personal information. Especially when combined with the popups’ false claims ("… out of date browser" and "you have to click yes") and especially in light of the other misleading circumstances of installation, I see ample basis to conclude that the popups are malicious. These software installation attempts are therefore arguably prohibited by existing VeriSign rules. But I’ve seen little sign of VeriSign acting to enforce its rules. VeriSign’s code signing site offers no obvious standards or procedures for assessing or reporting violations.

More on Google and Spyware: Sponsored Link Advertising from So-Called Spyware Removers

These misleading Blogspot popups are not Google’s only ties to spyware companies. Eric Howes has posted a warning he calls Google & Anti-Spyware Products: Be Wary of Paid Search Results. Eric and others have put together a list of “rogue/suspect” anti-spyware applications that are at best useless (failing to detect or remove bona fide spyware) and at worst malicious (installing new spyware of their own). Comparing current Google advertisers for a search on "spyware" with Eric’s impressively detailed list yields surprisingly numerous matches.

According to Google’s Software Principles, companies should "keep good company" by avoiding doing business with those who don’t meet ethical standards. Yet Google somehow continues to show ads for — and accept advertising payments from — companies whose supposed anti-spyware tools merely take advantage of users’ spyware worries. Google has made some progress at cleaning up the most dishonorable advertising for anti-spyware searches, but its AdWords advertising remains a poor, unreliable source for consumers to find reputable, high-quality anti-spyware applications.

Claria’s Practices Don’t Meet Its Lawyers’ Claims

Among the highlights of my winter holiday reading was a MediaPost interview of Reed Freeman, chief privacy officer of Claria. Freeman makes a series of claims about Claria’s practices — setting out high standards that he claims Claria already meets. As it turns out, his claims are in multiple instances verifiably false.

Removing Claria Programs – Neither “Intuitive” Nor “Standard”

Freeman claims that Claria has “the intuitive and standard Windows uninstall process.” I disagree.

Install Claria software in a bundle with Kazaa, and there will be no “Claria,” “Gator,” or “GAIN” listing in Control Panel’s Add/Remove Programs. Same for the other programs that bundle Gator (like DivX and Grokster). Instead, users who want to remove Gator are required to figure out that they need to select the “Kazaa” entry in Add/Remove Programs. That’s neither intuitive nor standard.

Claria admittedly sometimes tells users about its unusual removal procedure. Five pages (370+ words) into Claria’s license (as shown by Kazaa), Claria mentions “If you would like to stop receiving GAIN-branded advertisements, you will need to remove all GAIN-Supported Software on your computer using … Add/Remove Programs.”

Screen-shot showing that when  Zango comes with Secret Chamber, Zango receives a separate entry in Add/Remove Programs.  Claria's Gator, in contrast, lacks such an entry.Screen-shot showing that when Zango comes with Secret Chamber, Zango receives a separate entry in Add/Remove Programs. Claria’s Gator, in contrast, lacks such an entry.

But Freeman doesn’t claim that Claria’s uninstall process is well-documented. He claims it’s “standard.” To the contrary, when other programs come in bundles, they generally include separate entries in Add/Remove Programs. For example, when RealPlayer comes with Google Toolbar, each program gets a separate Add/Remove listing. Even among so-called “adware” programs (that monitor users’ web browsing and show advertisements), Claria’s approach is unusual. When 180solutions Zango comes bundled with other programs (like Zango Games’ Secret Chamber), Zango has its own entry in Control Panel. See screen-shot at right.

Neither is Claria’s uninstall procedure “intuitive.” The intuitive way to remove an unwanted program is to find it, by name, in Add/Remove Programs. Claria makes the process harder by forcing users to figure out which programs bundled which — an unnecessary procedure that is not “intuitive.” The process becomes even more difficult when Claria cross-promotes its various products: Once a user receives Claria’s advertising-display software, Claria often shows pop-ups that encourage installation of other Claria programs, such as clock synchronizers and weather monitors. As a result, many Claria users run multiple “Gator-supported” applications, each of which must be separately identified and removed to complete Claria’s so-called “intuitive” uninstall.

Also nonstandard is Claria’s prohibition on using “unauthorized” removal methods (namely, removal tools like Ad-Aware and Spybot). See my earlier Gator’s EULA Gone Bad.

One-Step Install, Harder Uninstall

A Claria drive-by installer, installing Claria software (without any further request for consent) if users press Yes.A Claria drive-by installer, installing Claria software (without any further request for consent) if users press Yes.

Freeman later reports “The FTC has long taken the position that consumers should be able to get out of the bargain just as easily as they got into it.” Turning to Claria’s practices, he claims “you can get into our bargain by responding to an ad, and you can get out of our bargain by responding to an ad.”

Freeman makes it sound like removing Claria is as easy as getting Claria, but that’s just not the case. Claria software can become installed after only a single click on a single “Yes” button in a Claria “drive-by” ActiveX pop-up (like the one at right).

Claria uninstallation screen, adding additional steps to attempts to remove Claria software.Claria uninstallation screen, adding additional steps to attempts to remove Claria software.

In contrast, removing Claria requires a longer procedure. At best, click Start – Settings – Control Panel – Add/Remove Programs, then find the installed Claria or third-party program, press Remove, and press Next twice (eight clicks total) . The final two clicks are necessary to decline Claria’s pleas to remain installed. (See the screen-shot at left.) Through this procedure, Claria requires triple confirmation before its software can be uninstalled, even though Claria had requested no extra confirmation to get onto users’ PCs.

So users can receive Claria by clicking once on a single ad, but removing Claria requires many more steps. This design seems like a clear violation of the “get out … as easy as … got in” rule Freeman attributes to the FTC. Why not place a one-click uninstall button on every Claria ad, so users can remove Claria as easily as they got it?

Telling Users What Claria Really Does

Freeman further notes the importance of disclosing what a program will do before that program is installed on a user’s PC. Freeman explains:

“The law is that material terms have to be disclosed prior to a consumer’s taking action. … Material terms, as defined by the FTC, are those that are likely to affect a consumer’s conduct with respect to a product or service. … In my view, the key terms that consumers should know–those that consumers would be unhappy if they didn’t know–are that we will track your online behavior and serve you advertising. Those key material terms are disclosed in every download process … in a way that is unavoidable prior to the consumer taking action “

I applaud Freeman’s emphasis on timely disclosures. But here too, Claria’s actual practices fall short.

Claria’s prominent disclosures say nothing of transmission or storage of users’ activities. The first page of Claria’s license (as shown by the Kazaa installer) mentions that advertisements are “selected in part based on how you surf the Web.” From this disclosure, users could reasonably conclude that Claria’s software chooses ads by mere monitoring of users’ activities — observing a user at one travel site, then showing a pop-up ad for another.

But as it turns out, Claria does more. Claria transmits users’ activities to its servers, then stores this information in a huge database. A November 2003 eWeek article reported that Claria’s then-12.1 terabyte database was already the seventh largest in the world — bigger than Federal Express, and rivalling Amazon and Kmart. A recent Oracle press release touted Claria as “one of the the world’s largest Oracle Data Warehouse … deployments.”

Claria’s license fails to prominently disclose transmission and storage of users’ activities. That advertisements are “selected in part based on how you surf the web” says nothing of any central Claria database recording who goes where. Only at page 11 of 63, 950 words into its 5,900+ word license, does Claria finally explain its true design — transmitting user activities to Claria servers — by admitting that “we do know … some of the web pages viewed” (emphasis added).

Screen-shot showing the disclosure shown by Zango when bundled with Secret Chamber.  Zango prominently discloses that it Screen-shot showing the disclosure shown by Zango when bundled with Secret Chamber. Zango prominently discloses that it “collects” information about users’ web site visits.

Here again, Claria’s disclosure is inferior to its competitors. 180solutions software is sometimes installed without any notice or consent at all — for example, through security holes. (video) But when 180 requests permission to install, it offers a more forthright description of its intended activities. For example, when installed with the Secret Chamber video game, 180 prominently discloses: “Zango collects … information about the websites a user visits.” (screenshot)

A user who receives 180’s disclosure learns that 180 will not only monitor online behavior, but also collect this data. That’s a fact 180 seems to regard as relevant — worth bringing to users’ attention, beyond fine print midway through a long license agreement. It’s a fact of likely interest to many users — who may not want their data stored, perhaps permanently, on Claria’s servers. So this transmission and collection is, in Freeman’s words, a fact consumers “would be unhappy if they didn’t know.” By Freeman’s own standard, then, this fact ought to be more prominently presented in Claria’s disclosure — on page one, not page eleven.

Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It

I’ve recently been looking at the unwanted software installed by Grokster (a peer-to-peer filesharing program). Eric Howes has documented Grokster’s exceptionally large bundle, which includes Claria, 411 Ferret/ActiveSearch, AdRoar, Altnet/BDE, BroadcastPC, Cydoor, Flashtrack, MyWay/Mybar, SearchLocate/SideBar, Topsearch, TVMedia, VX2/ABetterInternet, Browser Hijack, two different TopMoxie programs (branded by WebRebates), and several other programs not yet identified.

These programs, in combination, place a major burden on users’ computers: Loading and running so many extra tasks leaves less memory, less bandwidth, and less CPU time for whatever users actually want to do. My lab PCs are fast and well-maintained, but installing Grokster and its bundle makes them sluggish and hard to use. Worse, it’s hard to undo the damage Grokster and its partners cause: Eric also tracks, in unprecedented detail, how even the newest spyware removal applications can’t get rid of all the programs Grokster installs. It’s a mess, Eric’s site explains, and he’s surely right.

But as it turns out, the situation is even worse than Eric realized. As Eric explains, Grokster installs lots of junk if a user presses Accept. However, Grokster also installs software even if the user presses Cancel! That’s right: If a user has second thoughts after seeing the long license agreements, and if the user decides to press Cancel, Grokster’s installer nonetheless installs SearchLocate/SideBar and TVMedia. See the screen-shots below, taken from my video (WMV, 1MB) of the install process. (For best viewing, watch video in full-screen mode.)

C:\Program Files directory before Grokster installation begins.  Click to enlarge.   C:\Program Files folder before Grokster installation begins.
Sorted by date/time, ascending order. Latest entries:

Pressing Cancel in the Grokster installer.  Click to enlarge.   The Grokster installer. I press the Cancel button.

     

C:\Program Files directory after Grokster installation is cancelled.  Click to enlarge.   C:\Program Files folder after Grokster installation terminates.
Sorted by date/time, ascending order. Latest entries:

Notice new entries at the bottom of hte list: SearchLocate and TV Media.  These directories and their contents were created, after I pressed the Cancel button in the Grokster installer.

Equally outrageous are the extraordinarily lengthy license agreements Grokster and its partners ask users to accept. First comes a Claria license agreement that takes, by my count, 120 distinct screens (119 presses of the page-down key) to view in full. As shown in the Grokster installer, Claria’s license has grown to an incredible 6,645 words. So Claria’s current license is 43% longer than the US constitution — before we count the nine separate web pages Claria’s license references, some of them quite lengthy, but which Claria nonetheless claims are “incorporated by reference.” Furthermore, Claria’s license is growing rapidly: When I prepared screen-shots of Claria’s license, as shown by Kazaa in June 2004, the license was 5,541 words long. If Claria’s license continues to grow by 20% every four months, it will be 11,500 words long in October 2005, and 34,300 words long in October 2007. Maybe Claria’s lawyers get paid by the word.

And it gets worse: Grokster installs other programs, with their own licenses, and Grokster shows these many licenses en masse in a subsequent screen. These licenses appear in a text box that, for whatever reason, doesn’t let me to copy its text to the clipboard. So I can’t know the precise word count of the licenses in this second box. But I do know it took 278 page-downs to view the entire license.

That makes a total of 398 page-downs for any user who wants to know what lies in store upon installing Grokster. 398!


This past week, the US House of Representatives passed two bills that purport to address the spyware problem. Would they do anything about Grokster’s outrageous activities?

Goodlatte‘s H.R.4661 prohibits unauthorized software installation — but only under specific, narrow circumstances. I can’t immediately say that SearchLocate/SideBar and TVMedia are used in furtherance of a Federal criminal offense, so Sec.2.(a) is inapplicable. And I can’t say that the programs intentionally obtain or transmit personal information with the intent to defraud, injure, or cause damage. Surely the programs’ authors would deny any such intent. So Sec.2.(b) is inapt too. Looks like Goodlatte’s bill wouldn’t help.

Bono‘s H.R. 2929 does prohibit the unauthorized software installation. Sec.2.(a)(4)(A) specifically bans installing software when a user declines installation. Score one for the good guys.

But suppose Grokster ended the truly outrageous installation of software even when users press Cancel, instead installing its bundle only when users press Accept. (Grokster will more than likely make this change after reading my article.) Then Grokster would be, I fear, substantially compliant with H.R.2929.

For 2929’s purposes, it doesn’t matter that Grokster installs so much software that it essentially ruins even an above-average PC. The bill’s Sec.3. approves of the installation of fifteen programs, or a hundred and fifteen, so long as the user is first shown a single notice that warns “This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?’ Or, thanks to a recent revision to the bill, the installer can show some other text, so long as it is “substantially similar,” but even if it is more complicated, more confusing, or harder to understand.

I worry that Grokster can and will include the brief disclosure 2929 specifies, or an alternative text that makes the installation sound even more unobjectionable. Then all too many users will be tricked into accepting Grokster’s massive software bundle, and they will find their PCs grind to a halt under the load Grokster and its partners impose. Users will be running Bono-certified software, 100% compliant with relevant law (should Bono’s bill in fact become law). But their computers will be nearly useless nonetheless.

If I were revising Bono’s bill, I’d seek to tighten its requirements. I certainly wouldn’t permit watered-down “substantially similar” disclosures. I’d also prohibit the installation of a bundle of software, where the user requested only a single program, if that bundle has significant adverse effects on the speed and reliability of a typical computer, and if that bundle has no substantial relationship to the software the user initially requested. For bundled programs that show advertising, I’d require that the installation provide a sample of each kind of advertisement to be shown, and I’d require that the installation disclose the typical frequency of ad displays. In short, there are lots of creative ways to tighten the language, so that programs can’t satisfy the bill’s requirements while continuing to trick users into unwanted installations.

Instead, 2929 takes a narrower approach — admittedly stopping a class of outrageous behaviors, but letting all too many continue. Given the bill’s preemption of tougher state laws, this is legislation that, far from stopping spyware, in many respects makes the spyware problem worse.

Can we count on the Senate to close the loopholes in the bills as passed? News coverage suggests that these bills are a done deal already. And Congress has enacted weak legislation before (e.g. CAN-SPAM). So I’m not holding my breath.

Research on WhenU Search Engine Spamming, and Its Consequences updated May 22, 2004

Today I released an article documenting at least thirteen web sites operated with WhenU’s knowledge and approval (if not at WhenU’s specific request) that use prohibited methods to attempt to manipulate search engine results as to searches for WhenU and its products.

Some of these cloaking sites do offer information about WhenU, but their genuine information is interspersed with a mix of gibberish as well as with articles copied, without attribution of any kind, from the New York Times, c|net, and others. Meanwhile, most or all of the sites were registered with invalid whois data — most registered on the same day through the same registrar, but to five different names with five different gibberish email addresses in four states. The details:

WhenU Spams Google, Breaks Google ‘No Cloaking’ Rules

Sound too weird to be true? It turns out these behaviors are part of a practice called “search engine cloaking” — designed to make search engines think a site is about one subject, when in fact the site redirects most visitors to totally different content. The situation is complicated, and the easiest way to understand it is to read my article, complete with HTTP transmission logs and annotated HTML code.

Meanwhile, Google’s response was swift: I notified Google of the cloaking infractions on Sunday, and WhenU’s sites were removed from Google by Wednesday. Try a Google search for “whenu” and see for yourself: You’ll get critics’ sites and news coverage, but not www.whenu.com itself.

In subsequent research, I also found that WhenU has been copying news stories from around the web, without any statement of license from the respective publishers. See WhenU Copies 26+ Articles from 20+ News Sites. After I released this article, WhenU deleted the article copies from the dozen WhenU sites on which they had been posted. Fortunately, I kept plenty of screenshots. Meanwhile, at least one affected publisher has confirmed that the copies were unauthorized.

These aren’t WhenU’s only controversial business practices. For one, there’s WhenU’s core business — showing context-triggered pop-up advertisements that cover other companies’ web sites, without those sites authorization, a subject which has brought on extensive litigation. In addition, I previously discovered that WhenU violates its own privacy policy. In its privacy policy (as it stood through May 22), WhenU tells (told) its users that “URLs visited … are not transmitted to whenu.com or any third party server.” WhenU’s software installers continue to say the same, sometimes even more explicitly (“does not track, collect or send your browsing activity anywhere”). But my research indicates otherwise — that WhenU transmits to its servers the specific web pages users visit, and that it makes these transmissions every time users see WhenU advertisements. Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.