Category: client security

Earlier this month, the FTC announced the proposed settlement of its investigation into Zango, makers of advertising software widely installed onto users’ computers without their consent or without their informed consent (among other bad practices).

We commend the proposed settlement’s core terms. But despite these strong provisions, bad practices continue at Zango — practices that, in our judgment, put Zango in violation of the key terms and requirements of the FTC settlement. We begin by explaining the proposed settlement’s requirements. We then present eight types of violations of the proposed settlement, with specific examples of each. We conclude with recommendations and additional analysis.

Except where otherwise indicated, this document describes only downloads we tested during November 2006 — current, recent installations and behaviors.

Zango’s Burdens Under the Proposed FTC Settlement

The FTC’s proposed settlement with Zango imposes a number of important requirements and burdens on Zango, including Zango’s installation and advertising practices. Specifically, the settlement:

• Prohibits Zango from using “any legacy program to display any advertisement to, or otherwise communicate with, a consumer’s computer.” (settlement I)
• Prohibits Zango from (directly or via third parties) “exploit[ing] a security vulnerability … to download or install onto any computer any software code, program, or content.” (II)
• Prohibits from Zango installing software onto users’ computers without “express consent.” Obtaining “express consent” requires “clearly and prominently disclos[ing] the material terms of such software program or application prior to the display of, and separate from, any final End User License Agreement.” (III) Defines “prominent” disclosure to be, among other requirements, “unavoidable.” (definition 5)
• Requires Zango to “provide a reasonable and effective means for consumers to uninstall the software or application,” e.g. through a computers’ Add/Remove utility. (VII)
• Requires Zango to “clearly and prominently” label each advertisement it displays. (VI)

These are serious burdens and requirements that, were they zealously satisfied by Zango, would do much to protect consumers from the numerous nonconsensual and misleading Zango installations we have observed.

Zango Is Not In Compliance with the Proposed Settlement

Zango has claimed that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.”

Despite Zango’s claim, we continue to find ongoing installations of Zango’s software that fall far short of the proposed settlement’s burdens, requirements, and standards. The example installations that we present below establish that Zango’s current installation and advertising practices remain in violation of the terms and requirements of the proposed settlement.

• “Material Terms” Disclosed Only in EULA
  Zango often announces “material terms” only in its End User License Agreement, not in the more prominent locations required by the proposed settlement. (Examples A, B)
• “Material Terms” Omitted from Disclosure
  Zango often omits “material terms” from its prominent installation disclosures — failing to prominently disclose facts likely to affect consumers’ decisions to install Zango’s software. (Examples A, B, C)
• Disclosures Not Clear & Prominent 
  Zango presents disclosures in a manner and format such that these disclosures fail to gain the required “express consent” of users because the disclosures are not “clearly and prominently” displayed. (Examples B, E, F)
• Disclosures Presented Only After Software Download & Execution
  Zango presents disclosures only after the installation and execution of Zango’s software on the users’ computers has already occurred, contrary to the terms of the proposed settlement. (Examples C, F)
• No Disclosure Provided Whatsoever
  Some Zango software continues to become installed with no disclosure whatsoever. (Example D)
• Installation & Servicing of Legacy Programs
  Older versions of Zango’s software — versions with installation, uninstallation, and/or disclosure inconsistent with the proposed settlement — continue to become installed and to communicate with Zango servers. (Examples C, D, E, F)
• Installations Promoted & Performed through Miscellaneous Other Deceptive Means & Circumstances
  Zango installs are still known to be promoted and performed in or through a variety of miscellaneous practices that can only be characterized as deceptive. (Multiple examples in section G)
• Unlabeled Advertising
  Some Zango advertisements lack the labeling required by the proposed settlement. (Multiple examples in section H)

These improper practices remain remarkably easy to find, and we have numerous additional recent examples on file. Moreover, these problems are sufficiently serious that they cast doubt on the efficacy and viability of the FTC’s proposed settlement as well as Zango’s ability to meet the requirements of the settlement.

Example A: Zango’s Ongoing Misleading Installations On and From Its Own Servers

The proposed settlement requires “express consent” before software may be “install[ed] or “download[ed]” onto users’ PCs (III). The term “prominent” is defined to mean “clear[] and prominent[]” disclosure of “the material terms” of the program to be installed, and most of Zango’s recent installation disclosures seem to meet this standard. But we are concerned by what those disclosures say. In our view, the disclosures omit the material facts Zango is obliged to disclose.

Although the proposed settlement does not explain what constitute “material” terms, other FTC authority provides a definition. The FTC’s Policy Statement on Deception, holds that a material fact is one “likely to affect the consumer’s conduct or decision with regard to a product or service.”

From our analysis of Zango’s software, we think Zango has two material features — two features particularly likely to affect a reasonable user’s decision to install (or not install) Zango software. First, users must know that Zango will give them extra pop-up ads — not just “advertisements,” but pop-ups that appear in separate, freestanding windows. Second, users must know that Zango will transmit detailed information to its servers, including information about what web pages they view, and what they search for.

Unfortunately, many of Zango’s installations fail to include these disclosures with the required prominence. Consider the screen shown at right. Here, Zango admits that it shows “advertisements,” but Zango fails to disclose that its ads appear in pop-ups. Zango’s use of the word “advertisements,” with nothing more, suggests that Zango’s ads appear in standard advertising formats — formats users are more inclined to tolerate, like ordinary banner ads within web pages (e.g. the ads at nytimes.com) or within other software programs (e.g. the ads in MSN Messenger). In fact Zango’s pop-up ads are quite different, in that they appear in pop-ups known to be particularly annoying and intrusive. But the word “advertisements” does nothing to alert users to this crucial fact.

Zango also fails to disclose that its servers receive detailed information about users’ online behavior. Zango tell users that ads are “based on” users’ browsing. But this disclosure is not enough, because it omits a material fact. In particular, the disclosure fails to explain that users’ behavior will be transmitted to Zango, a fact that would influence reasonable users’ decision to install Zango.

In addition, Zango’s description of its toolbar omits important, material effects of the toolbar — namely, that the toolbar will show distracting animated ads. Zango says only that the toolbar “lets [users] search the Internet from any webpage” — entirely failing to mention the toolbar’s advertising,

We’re also concerned about the format and circumstances of these installation screens. Zango’s installation request appears in a Windows Media “license acquisition” screen — a system Microsoft provides for bona fide license acquisition, not for the installation of spyware or adware. Zango’s installer appears within Windows Media Player — a context where few users will expect to be on the lookout for unwanted advertising software, particularly when users had merely sought to watch a video, not to install any software whatsoever. Furthermore, the button to proceed with installation is misleadingly labeled “Play Now” — not “I Accept,” Install,” or any other caption that might alert users to the consequences of pressing the button. The screen’s small size further adds to user confusion: At just 485 by 295 pixels, the window doesn’t have room to explain the material effects of Zango’s software, even with Zango’s extra-small font. (In Zango’s main disclosure, capital letters are just seven pixels tall.) Furthermore, a user seeking to read Zango’s EULA (as embedded in these installation screens) faces a remarkable challenge: The 3,033 word document is shown in a box just five lines tall, therefore requiring fully 53 on-screen pages to view in full. Finally, if a user ultimately presses the “Play Now ” button, then the “Open” button on the standard Open/Save box that follows, Zango installs immediately, without any further opportunity for users to learn more or to change their mind. Such a rapid installation is contrary to standard Windows convention of further disclosures within an EXE installer, providing further opportunities for users to learn more and to change their minds. Video capture of this installation sequence.

All in all, we think typical users would be confused by this screen — unable to figure out who it comes from, what it seeks to do, or what exactly will occur if they press the Play Now button. A more appropriate installation sequence would use a standard format users better understand (e.g. a web page requesting permission to install), would tell users far more about the software they’re receiving, and would label its buttons far more clearly.

These installations are under Zango’s direct control: They are loaded directly from Zango’s servers. Were Zango so inclined, it could immediately terminate this installation sequence, or it could rework these installations, without any cooperation with (or even requests to) its distributors.

Example B: Zango’s Ongoing Misleading Hotbar Installations On and From Its Own Servers

The “express consent” required under the proposed settlement applies not just to software branded as “Zango,” but also to all other software installed or downloaded by Zango. (See “any software” in section III.) The “express consent” requirement therefore applies to Hotbar-branded software owned by Zango as a result of Zango’s recent merger with Hotbar. But Hotbar installations fail to include unavoidable disclosures of material effects, despite the requirements in the proposed settlement.

Consider the Hotbar installation shown in this video and in the screenshots at right. The installation sequence begins with an ad offering “free new emotion icons” (first screenshot at right) — certainly no disclosure of the resulting advertising software, the kinds of ads to be shown, or the significant privacy effects. If a user clicks that ad, the user receives the second screenshot at right — a bare ActiveX screen, again lacking a substantive statement of material effects of installing. If the user presses Yes in the ActiveX screen, the user receives the third screen at right — disclosing some features of Hotbar (e.g. weather, wallpapers, screensavers), and vaguely admitting that Hotbar is “ad supported,” but saying nothing whatsoever about the specific types of ads (e.g. intrusive in-browser toolbar animations) nor the privacy consequences. Furthermore, this third screen lacks any button by which users can decline or cancel installation. (Note the absence of any “cancel” button, or even an “x” in the upper-right corner.)

This installation sequence is substantially unchanged from what Edelman reported in May 2005.

This installation lacks the unavoidable material disclosures required under the proposed settlement. We see no way to reconcile this installation sequence with the requirements of the proposed settlement.

Example C: Incomplete, Nonsensical, and Inconsistent Disclosures Shown by Aaascreensavers Installing Zango Software

We also remain concerned about third parties installing Zango’s software without the required user consent. Zango’s past features a remarkable serious of bad-actor distributors, from exploit-based installers to botnets to faked consent. Even today, some distributors continue to install Zango without providing the required “clear and prominent” notice of “material” effects.

Consider an installation of Zango from Aaascreensavers.com. Aaascreensavers provides a generic “n-Case” installation disclosure that says nothing about the specifics of Zango’s practices — omitting even the word “advertisements,” not to mention “pop-ups” or privacy consequences. (See first screenshot at right.) Furthermore, Aaascreensavers fails to show or even reference a EULA for Zango’s software. Nonetheless, Aaascreensavers continues to place Zango software onto users’ PCs through these installers.

Particularly striking is the nonsensical screen that appears shortly after Aaascreensavers installs Zango. (See second screenshot at right.) Beneath a caption labeled “Setup,” the screen states “the content on this site is free, thanks to 180search Assistant” — although the user has just installed a program (and is not browsing a site), and the program the user (arguably) just agreed to install was called “n-Case” not “180search Assistant.” At least as paradoxically, the “Setup” screen asks users to choose between “Uninstall[ing] 180search Assistant” and “Keep[ing]” the software. Since “180search Assistant” is software reasonable users will not even know they have, this choice is particularly likely to puzzle typical users. After all, it is nonsense to speak of a user making an informed decision to “keep” software he didn’t know he had.

Crucially, both installation prompts omit the material information Zango must disclose under its settlement obligations: Neither prompt mentions that ads will be shown in pop-ups, nor do they mention the important privacy effects of installing Zango software.

Video capture of this installation sequence.

Example D: Msnemotions Installing Zango with No Disclosure At All

Msnemotions continues to install Zango software with no disclosure whatsoever. In particular, Msnemotions never shows any license agreement, nor does it mention or reference Zango in any other on-screen text, even if users fully scroll through all listings presented to them. Video proof.

This installation is a clear violation of section III of the proposed FTC settlement. That section prohibits Zango “directly, or through any person [from] install[ing] or download[ing] … any software program or application without express consent.” Here, no such consent was obtained, yet Zango software downloaded and installed anyway.

In our tests, this Zango installation did not show any ads (although it did contact a Zango server and download a 20MB file). Nonetheless, the violation of section III occurs as soon as the Zango software is downloaded onto the user’s computer, for lack of the requisite disclosure and consent.

Example E: Emomagic Installing Zango with an Off-Screen Disclosure

Emomagic continues to install Zango software with a disclosure buried five pages within its lengthy (23 on-screen-page) license agreement. That is, unless a user happened to scroll to at least the fifth page of the Emomagic license, the user would not learn that installing Emomagic installs Zango too. Video proof.

This installation is a clear violation of the proposed FTC settlement, because the hidden disclosure of Zango software is not “unavoidable.” In contrast, the proposed Settlement’s provision III and definition 5 define “prominent” disclosures to be those that are unavoidable, among other requirements.

We have additional examples on file where the first mention of Zango comes as far as 64 pages into a EULA presented in a scroll box. See also example F, below, where Zango appears 44 pages into a EULA, after the GPL.

Example F: Warez P2P Speedup Pro Installing Zango with an Off-Screen Disclosure

Warez P2P Speedup Pro continues to install Zango software with a disclosure buried 44 pages within its lengthy license agreement. Video proof. Users are unlikely to see mention of Zango in part because Zango’s first mention comes so far down within the EULA.

Users are particularly unlikely to find Zango’s EULA because the first 43 pages of the EULA scroll box show the General Public License (GPL). (Screenshot of the first page, giving no suggestion that anything but the GPL appears within the scroll box.) Sophisticated users may already be familiar with this license, which is known for the many rights it grants to users and independent developers. Recognizing this pro-consumer license, even sophisticated users are discouraged from reviewing the scroll box’s contents in full — making it all the less likely that they will find the Zango license further down.

After installation, Warez P2P Speedup Pro proceeds to the second screen shown in Example C, above. The video confirms the special deceptiveness of this screen: If a user chooses the “uninstall” button — exercising his option (however deceptively mislabeled) to refuse Zango’s software — the user then receives a further screen attempting to get the user to change his mind and accept installation after all. The substance of this screen is especially deceptive — asking the user whether he wants to “cancel,” when in fact he had never elected even to start the Zango installation sequence in the first place. Finally, if the user presses the “Exit Setup” button on that final screen, the user is told he must restart his computer — a particularly galling and unnecessary interruption.

Section G: Zango Installations Predicated on Consumer Deception or on Use of Other Vendors’ Spyware

We have also observed Zango installs occurring subsequent to consumer deception or other vendors sending spyware-delivered traffic to Zango.

Fullcontext spyware promoting Zango. We have observed Fullcontext spyware (itself widely installed without consent) injecting Zango ads into third parties’ web sites. Through this process, Zango ads appear without the permission of the sites in which they are shown, and without payment to those sites. These ads even appear in places in which no banner ads are not available for purchase at any price. See e.g. the screenshot at right, showing a Zango banner ad injected to appear above Google’s search results.

Typosquatters promoting Zango. Separately, Websense and Chris Boyd recently documented Zango installs commencing at “Yootube”. “Yootube” is a clear typosquat on the well-known “Youtube” site — hoping to reach users who mistype the address of the more popular site. If users reach the misspelled site, they will be encouraged to install Zango. Such Zango installations are predicated on a typosquat, e.g. on users reaching a site other than what they intended — a particularly clear example of deception serving a key role in the Zango installation process.

Spyware bundlers promoting Zango. In our testing of summer and fall 2006, we repeatedly observed Zango “S3” installer programs downloaded onto users’ computers by spyware-bundlers themselves operating without user consent (e.g. DollarRevenue and TopInstalls). Users received these Zango installation prompts among an assault of literally dozens of other programs. Any consent obtained through this method is predicated on an improper, nonconsensual arrival onto users’ PCs — a circumstance in which we think users cannot grant informed consent. Furthermore. the proposed settlement requires “express consent” before “installing or downloading” (emphasis added) “any software” onto users’ PCs (section III). Zango’s S3 installer is a “software program” within the meaning of the proposed settlement, yet DollarRevenue and TopInstalls downloaded this program onto users’ computers without consent. So these downloads violate the plain language of the proposed settlement, even where users ultimately refuse to install Zango software.

Update (December 8): We have uncovered still other Zango installations predicated on deception, including on phishing at MySpace. We discuss these improper practices in our follow-up comment to the FTC. Our bottom line: These Zango installs are disturbing not because they put zango in violation of hte terms of hte proposed settlement, but precisely because they do not — because tehse isntallations, disturbing though they may be, do not clearly violate any of the settlement’s requirements. These installations raise the alarming prospect that this settlement could allow Zango to continue to pay distributors to create malicious and/or deceptive software and web pages.

Section H: Unlabeled Ads

Today CDT filed a further comment about the FTC’s proposed settlement, focusing in part on Zango’s recent display of unlabeled ads, again specifically contrary to Zango’s obligations under the proposed settlement (section VI). CDT has proof of 39 unlabeled ads — 10% of their recent partially-automated tests — in which Zango’s pop-up ads lacked the labeling required under the proposed settlement. CDT explains that the ads “provide[d] absolutely no information that would allow consumers to correlate the advertisements’ origins to Zango’s software.”

We share CDT’s concern, because we too have repeatedly seen these problems. For example, this video shows a Zango ad served on November 19, 2006 — with labeling that disappears after less than four seconds on screen (from 0:02 to 0:06 in the video). Furthermore, Edelman first reported this same problem in July 2004: That when ads include redirects (as many do), Zango’s labeling often disappears. Compliance with the proposed settlement requires that Zango’s labeling appear on each and every ad, not just on some of the ads or even on most of the ads. So, here too, Zango is in breach of the proposed settlement.

Furthermore, the proposed settlement’s labeling requirement applies to “any advertisement” Zango serves — not just to Zango’s pop-ups, but to other ads too. Zango’s toolbars show many ads, as depicted in the screenshots below. Yet these toolbars lack the labeling and hyperlinks required by the proposed settlement. These unlabeled toolbars therefore constitute an additional violation of Zango’s duties under the proposed settlement.

The Size of Zango’s Payment to the FTC

We are puzzled by the size of the cash payment to be made by Zango. We understand that the FTC’s authority is limited to reclaiming ill-gotten profits, not to extracting penalties. But we think Zango’s profits to date far exceed the $3 million payment specified in the proposed settlement.

Available evidence suggests Zango’s company-to-date profits are substantial, probably beyond $3 million. As a threshold matter, Zango’s business is large: Zango claims to have 20 million active users at present (albeit with some “churn” as users manage to uninstall Zango’s software). Furthermore, Zango’s revenues are large: Zango recently told a reporter of daily revenues of $100,000 (i.e. $36 million per year), a slight increase from a 2003 report of $75,000 per day. With annual revenues on the order of $20 to $40 million, and with three years of operation to date, we find it inconceivable that Zango has made only $3 million of profit.

Zango’s prior statements and other companies’ records also both indicate that Zango’s profits exceed $3 million. A 2005 Forbes article confirms high profits at Zango, reporting “double-digit percentage growth in profits” — though without stating the baseline level of profits. But financial records from competing “adware” vendor Direct Revenue indicate a remarkable 75%+ profit margin: In 2004, DR earned $30 million of pre-tax profit on $38 million of revenue. Because Zango’s business is in many respects similar to DR, Zango’s profit margin is also likely to be substantial, albeit reduced from the 2004-era “adware” peak. Even if Zango’s profit margin were an order of magnitude lower, i.e. 7%, Zango would still have earned far more than $3 million profits over the past several years.

If Zango’s profits substantially exceed $3 million, as we think they do, the settlement’s payment is only a slap on the wrist. A tougher fine — such as full disgorgement of all company-to-date profits worldwide — would better send the message that Zango’s practices are and have been unacceptable.

Zango’s Statements and the Need for Enforcement

In its November 3 press release, Zango claims its reforms are already in place. “Every consumer downloading Zango’s desktop advertising software sees a fully and conspicuously disclosed, plain-language notice and consent process,” Zango’s press release proclaims. This claim is exactly contrary to the numerous examples we present above. Zango further claims that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006” — again contrary to our findings that nonconsensual and deceptive installations remain ongoing.

From the FTC’s press release and from recent statements of FTC commissioners and staff, it appears the FTC intends to send a tough message to makers of advertising software. We commend the FTC’s goal. The proposed settlement, if appropriately enforced, might send such a message. But we worry the FTC will send exactly the opposite message if it allows Zango to claim compliance without actually doing what the proposed settlement requires.

As a first step, we endorse CDT’s suggestion that the FTC require Zango to retract its claim of compliance with the proposed settlement. Zango’s statement is false, and the FTC should not stand by while Zango mischaracterizes its behavior vis-a-vis the proposed settlement.

More broadly, we believe intensive ongoing monitoring will be required to assure that Zango actually complies with the settlement. We have spent 3+ years following Zango’s repeated promises of “reform,” and we have first-hand experience with the wide variety of techniques Zango and its partners have used to place software onto users’ PCs. Testing these methods requires more than black-letter contracts and agreements; it requires hands-on testing of actual infected PCs and the scores of diverse infection mechanisms Zango’s partners devise. To assure that Zango actually complies with the agreement, we think the FTC will need to allocate its investigatory resources accordingly. We’ve spent approximately 10 hours on the investigations leading to the results above, and we’ve uncovered these examples as well as various others. With dozens or hundreds of hours, we think we could find many more surviving Zango installations in violation of the proposed settlement’s requirements. We think the FTC ought to find these installations, or require that Zango do so, and then ought to see that the associated files are entirely removed from the web.

Update (December 8): Our follow-up comment to the FTC discusses additional concerns, further ongoing bad practices at Zango, and the special difficulty of enforcement in light of practices seemingly not prohibited by the proposed settlement.