Narrowly: Nothing forces Uber to suspend service.  Uber could comply with the CPUC’s requirement and continue service by implementing reasonable driver registration precautions, in fact the same precautions that competitor HopSkipDrive has used for years.  The words “no choice” have literal meaning, and that’s just not the situation here.  The real issue is that Uber disagrees with CPUC’s requirement that it check driver fingerprints, arguing that its background checks suffice.  But that disagreement does not compel Uber to discontinue service.  Many people and companies disagree with many laws and regulations.  The normal process is to submit comments in a legislative or rulemaking process,  to sue if you think the rule is so broken that (say) it’s unconstitutional, to invoke political remedies such as replacing whoever imposed the rule, and ultimately to honor the democratic process by complying.  Win some, lose some, and hope to win more than you lose.  In contrast, Uber’s approach is a threat: Either the regulation goes Uber’s way, or Uber will cease service.

Broadly: Uber suggests that CPUC’s regulation is ill-advised.  To evaluate, start with the rationale according to CPUC:

When an adult is being tasked to provide a service to a minor, the adult is placed in a position of trust, responsibility, and control over California’s most vulnerable citizenry—children. Not conducting a fingerprint-based background check to identify adults with disqualifying arrests or criminal records would place the unaccompanied minor in a potentially dangerous, if not life-threatening situation. That is why California Assembly Bill 506 … requir[es] that administrators, employees, or regular volunteers of youth service organizations undergo a background check that includes fingerprinting.

In response, Uber claims that its background checks work well and are sufficient.  Who’s right?  Consider the broader context.  Uber’s background checks rightly deny accounts to drivers with bad driving records, prior ejections from Uber’s platform, or no documentation establishing right to work.  But if a driver can’t pass those checks, the standard strategy is to “borrow” an account from someone who can.  Many people tolerate a certain amount of this for ordinary  adult rides.  As the CPUC explains above, the stakes are higher when transporting minors unaccompanied.  In that special context, higher standards are no surprise.

If fingerprinting drivers were massively costly, it might nonetheless be an unwise investment — a cost exceeding plausible benefits.  For all its protestations to CPUC and to users, Uber never quite explains why it’s (supposedly) so difficult to do what CPUC specifies.  If I had to implement CPUC’s requirement, I’d collect driver fingerprints through smartphones or at the inspection centers that check drivers’ vehicles.  This sounds like software plus business operations — some work, but proportional to the business opportunity of the Uber Teen service.  It feels particularly reasonable because fingerprint security is increasingly common.  While an employee at Microsoft, I had to present my fingerprint to my phone’s Authenticator app to activate two-factor authentication to access company resources.  CPUC similarly seeks fingerprint security for drivers transporting unaccompanied minors.  Why should a minor’s safety get less protection than a company’s secrets?

During the period covered by the suit, hundreds of thousands of child users purchased Facebook Credits for use in playing Facebook-based games and applications. To make such purchases, child users generally used credit cards, debit cards or other payment instruments that belonged to their parents or other responsible adults. Facebook made a practice of retaining the payment information provided at the time of the child user’s initial purchase for easy use in later purchases. Facebook advised that purchases by children were to be made only with the permission of the parent or guardian. Facebook did not, however, require evidence that any of the purchases was actually authorized by the parent, guardian or owner of the payment instrument. In many instances, the child user did not have authorization to use the card or other payment instrument to purchase Facebook Credits. Facebook specified in its terms of use that all transactions are “final”. It later stated that all transactions are “final except as otherwise required by law”.

Facebook’s Terms of Use state that purchase transactions are governed by the law of California. The Family Code of California provides that contracts with minors are voidable by the minor at any time before attaining the age of 18 or within a reasonable time thereafter. The court applied that principle to this case: “The law shields minors from their lack of judgment and experience and under certain conditions vests in them the right to disaffirm their contracts. Although in many instances such disaffirmance may be a hardship upon those who deal with an infant, the right to avoid his contracts is conferred by law upon a minor for his protection against his own improvidence and the designs of others. It is the policy of the law to protect a minor against himself and his indiscretions and immaturity as well as against the machinations of other people and to discourage adults from contracting with an infant.” (MTD decision, October 25, 2012, at pp. 11-12.) The court continued: “[O]ne who provides a minor with goods and services does so at her own risk.” (Id. at p.12.)

Facebook defended the claims in part by arguing that kids had received and used the electronic goods they paid for. The court specifically rejected this reasoning, finding that kids are entitled to refunds even for items they used. “Under California law, a minor may disaffirm all obligations under a contract, even for services previously rendered, without restoring consideration or the value of services rendered to the other party.” (MTD Decision at p.14, internal quotation marks omitted)

Prior to the settlement, Facebook provided an online procedure for refund requests in various specific circumstances such as fraudulent use of a user’s account by a third-party. Facebook’s refund procedure did not include an option to request a refund on the ground that the purchase was made when the user was a minor.

The settlement requires Facebook to apply refund practices and policies with respect to U.S. minors that comply with the California Family Code.

The settlement further requires Facebook to “add to its refund request form for In-App Purchases for U.S. users a checkbox or substantially similar functionality with accompanying text such that users are able to indicate that the In-App Purchases for which they are seeking a refund was made when the user was minor.”

The settlement additionally requires Facebook to “implement a dedicated queue within Facebook to address refund requests in In-App Purchases, made by U.S. Minors subject to verification of minority. The employees staffing the dedicated queue will receive further training regarding how to analyze and process such refund requests in accordance with applicable law.”

If you or your minor child were charged for Facebook credits purchased from an account belonging to someone age 17 or younger, you may be entitled to obtain refunds for such purchases through the use of the dedicated queue established by Facebook as a result of the settlement. Both minor account holders and the parents and guardians of such minors are entitled to claim such refunds. Claim refunds via the Facebook refund tool.

Free access to selected case documents via Archive.org.

In Re In-App Purchase Litigation, Case No. 5:11-CV-01758-EJD (N.D. Cal.)

Case docket including consolidated class action complaint

In today’s post, I report notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask’s prior promises. I document yet another installation of Ask’s toolbar that occurs without user notice or consent. I point out why Ask’s toolbar is inherently objectionable — especially its rearrangement of users’ browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask’s practices with its staff’s promises and with governing law — especially “deceptive door opener” FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.

Details:

Current Practices of IAC/Ask Toolbars

180 has cleaned up some of these practices, but the core deception remains. 180 still installs its software in circumstances where reasonable users wouldn’t expect to receive such software — including web sites that substantially cater to kids. And users still aren’t fairly told what they’re slated to receive. 180 says that it shows “advertising,” but no on-screen text warns users that these ads appear in much-hated pop-ups. 180 systematically downplays the privacy consequences of installing its software — prominently telling users what the software won’t do, but failing to disclose what the software does track and transmit. All told, users may have to press a button before 180 installs on their computer, but users can’t reasonably be claimed to understand what they’re purportedly accepting.

Screenshots and detailed analysis:

180solutions’s Misleading Installation Methods – Dollidol.com

My new Hotbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Meanwhile, Hotbar’s C&D indicates that their software is no longer detected by Microsoft Anti-Spyware, Lavasoft Ad-Aware, or McAfee. Why not? Consider Microsoft’s policy statement: “Windows AntiSpyware (Beta) alerts the user to the presence of any automatic pop-up advertising appearing outside the context of the program they are currently using.” This certainly describes Hotbar’s pop-up ads. Yet somehow Hotbar has caused — convinced? persuaded? threatened? — Microsoft not to detect their program.

Of course Hotbar is not the only party to blame. Hotbar’s ads arrive at kids sites through ads syndicated by Fastclick (NASDAQ: FSTC). As a publicly-traded company, surely Fastclick could find a better business than foisting advertising software onto unsuspecting kids.

I’ve recently received a copy of the Cease and Desist letter (PDF) Hotbar sent to Sunbelt. Sunbelt says they’ll be responding shortly, and I’m looking forward to reading their response. Meanwhile, some inaccuracies in the letter are so egregious that I feel obliged to note them immediately.

Hotbar claims to provide its users with “explicit explanations” of its services, and Hotbar therefore claims that users “provide … full conscious consent to each and every aspect of Hotbar software.” That’s not what I’ve seen when I’ve tested Hotbar. Rather, I have observed Hotbar install without even mentioning the word “ads” until a screen at which users aren’t given a “cancel” button. And nowhere does Hotbar affirmatively show users any mention of its numerous forms of ads (pop-ups, pop-unders, toolbar ads, auto-opening sidebars, and even desktop icons). To say Hotbar users “consent to each and every aspect” is truly a puzzling misstatement of the facts — that’s not what I’ve observed, nor is it what I’ve chronicled in screenshots and videos.

Hotbar then claims that Sunbelt “misrepresent[s]” Hotbar when it calls “Hotbar” adware. I don’t get it. How else is Sunbelt supposed to describe a program that tracks users’ online activities and shows ads, including pop-up ads? If Claria is adware — and even Claria says it is! — then surely Hotbar is properly called adware too. Perhaps reasonable people could disagree about the propriety of calling Hotbar spyware. But “adware”? No.

But that’s not the worst of AJ’s practices. Over the past six months, I’ve captured a series of videos showing Ask Jeeves’ MyWay and MySearch software installed through security holes — without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar — without me ever requesting anything, and without me ever clicking “Yes” or “Accept” in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. In this same testing, I also received installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network — Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I’m surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.

The biggest news last week was a lawsuit filed by the New York Attorney General’s office against Intermix Media, whose KeenValue, IncrediFind, and other programs show popup ads, add extra browser toolbars, and intercept error messages. These practices are objectionable in and of themselves, but the complaint focuses on the programs’ misleading installations. Sometimes the programs install with no notice at all, the complaint says, and sometimes only with hidden or misleading disclosures users are unlikely to notice or understand.

I have the sense that this suit is the first of many. There are certainly plenty of similar offenders, even big companies with major venture capital funding. I have often written about software from 180solutions, Direct Revenue, and eXact Advertising installing through security holes, practices I’ve continued to observe (including in the video linked above). And Claria’s tricky installations share many of the deceptive characteristics the AG attributes to Intermix, like hiding key terms in “lengthy, legalistic license agreements” and using “vague, incomplete” disclosure text. (See NYAG complaint (PDF), paragraph 9.) So I doubt the NY AG’s office would approve of the Ask Jeeves practices I’m documenting today, nor the other misleading tactics on my spyware installation methods index.

PacerD’s misleading pop-ups ask users to “please click yes” to accept “free browser enhancements.” In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD’s mislabeled (apparent, purported) license agreement, which in turn is only shown at a user’s specific request. But click “Yes” once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

The PacerD Installation Bundle

As usual, Claria’s approach is somewhat more subtle. When Claria bundles its advertising software with the “Dope Wars” video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few “Dope Wars” players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they’ll do so without first understanding what Claria will do to their PCs.

Claria’s Misleading Installation Methods – Dope Wars

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria’s interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users’ computers into advertising channels — tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don’t understand what they’re getting — due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they “accepted” these programs.

Can we say that a user “consents” to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If “authorizing” the installation required only that the user click on an ad, then click “Yes” once? If the program’s license agreement was shown to the user only after the user pressed “Yes”? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Details: Claria’s Misleading Installation Methods – Ezone.com

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently described as removing advertisements? Where the installation description uses euphemisms like “show … sponsor websites” but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Details: 180solutions’s Misleading Installation Methods – Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I’m not inclined to say that consumers “consent” to the resulting ads and to the resulting transmission of personal information.

Case details including litigation documents