Right media considers systems and policies to make sure that ads are only shown on web sites where they are appropriate, and vice versa. Setting standards is particularly challenging given the large and growing marketplace, the numerous participants, their diverse requirements, and the dynamics of policy enforcement when market participants are competing intensely.
Teaching materials:
Ad Classification at Right Media – Teaching Note (HBP 909037)
Ad Classification at Right media – Slide Supplement (HBP 911038)
Ad Classification at Right media – Slide Supplement (widescreen) (HBP 914054)
Ad Classification at Right media – Pre-Class Slides (HBP 911037)
Not every “anti-spyware” program is what it claims to be. Some truly have users’ interests at heart — identifying and removing bona fide risks to privacy, security, stability, or performance. Others resort to a variety of tricks to confuse users about what they’re getting and why they purportedly need it.
This article reports the results of my examination of anti-spyware software from C-NetMedia. I show:
Deceptive advertising, deceptive product names, and deceptive web site designs falsely suggest affiliation with security industry leaders. Details.
The use of many disjoint product names prevents consumers from easily learning more about C-Net, its reputation, and its practices. Details.
High-pressure sales tactics, including false positives, overstate the urgency of paying for an upgraded version. Details.
Note that C-NetMedia is unrelated to the well-known technology news site CNET Networks. Details.
Deceptive advertising, deceptive product names, and deceptive web site design falsely suggest affiliation with security industry leaders.
Some C-NetMedia products are marketed using practices, keywords, labels, and layouts that falsely suggest they come from security industry leaders. This suggestion comes from both the actions of C-Net itself, as well as from the actions of C-Net’s marketing partners.
Google Shows Deceptive Ads for C-NetMedia’s Products
Consider the top three ads for a Google search for “Spybot”, a popular early anti-spyware program (full name “Spybot Search & Destroy”). As shown at right, the top three ads each specifically mention “Spybot” — the first two, in directory names; the third, in its domain name. Furthermore, all three ads also include the distinctive and original phrase “Search & Destroy” that specifically describes the genuine Spybot product. Yet in fact each of these three ads takes users to the unrelated site spywarebot.com (emphasis added) (screenshots: 1, 2, 3). Clicking the first ad immediately takes a user to spywarebot.com via the ClickBank advertising network. As to the second and third ads, traffic flows through independent “landing page” sites which in turn show ClickBank links to promote Spywarebot. These landing pages are hosted on the deceptively-named domains named spybot-sd-info.com and www-spybotcom.com — each further (but falsely) suggesting an affiliation with the genuine “spybot” product.
C-NetMedia partners similarly fill top ad spots for a search for “Ad-Aware”, another well-known anti-spyware program. The top ad promotes C-Net’s adwarealert.com — a name particularly likely to confuse users because the ad’s title and domain differ from the user’s request by just a single letter. The first ad takes the user to adwarealert immediately, while the second ad takes users to a www-ad-ware.com landing page which also promotes adwarealert.com (again via ClickBank).
Other deceptive C-NetMedia partners pervade search results for spyware-removal search terms. See e.g. “Spybot-free.com” using distinctive “Spybot” “Search & Destroy” marks to promote C-Net’s spywarebot.com. See also C-Net’s Registrysmart.com advertising with ad title “Microsoft Antispyware” in Google results for searches on “Microsoft Spyware”. Because the Registrysmart ad title touts “Microsoft Antispyware”, users might reasonably think the ad will yield an official Microsoft site that actually provides the free “Microsoft Antispyware” product. But in fact the link leads only to a C-Net site with paid products.
C-NetMedia may claim that these ads were placed by affiliates. But the actions of these affiliates are prominent — occurring on search terms as well-known as “Spybot” and “Ad-Aware.” These actions are also longstanding: My October 2006 False and Deceptive Pay-Per-Click Ads shows that some of these ads have continued for more than a year. Furthermore, these affiliates act for C-Net’s benefit, and C-Net has the right and ability to monitor them, to oversee their activities, and to limit their efforts as it sees fit. Finally, FTC litigation confirms that companies can be liable for the actions of their affiliates and marketing partners. See e.g. US v. APC Entertainment (advertiser liable for sexually-explicit unsolicited commercial email sent by its affiliates), In the Matter of Zango, Inc. (advertising software company liable for nonconsensual and deceptive installations of its software by its partners), In the Matter of Direct Revenue LLC (same).
C-NetMedia’s involvement in these advertising practices is heightened by C-Net’s own selection of product names. C-Net, not its affiliates, chose product names so close to established market leaders — names that invite consumer confusion. C-Net furthers the confusion by calling its products “official” (e.g. “The Official Ad-Ware Client“, emphasis added) when there is no meaningful sense in which C-Net’s products are more “official” than any other. Indeed, when users arrive at C-Net sites after requesting similarly-named better-known competitors, C-Net’s offerings are exactly not the official products users specifically requested by name.
Some C-Net sites are also deceptive in that their titles and graphic design falsely suggest they are an official part of Windows. Consider antispyware.com. The site’s heading presents the generic title “AntiSpyware For Windows” — without mentioning any company name or showing any other prominent indication that the product is not actually part of Windows. Furthermore, antispyware.com shares numerous graphic design elements with official Microsoft sites: Like official Microsoft sites, antispyware.com features a broad blue bar across the top of the page, bold white type at top-left with smaller white type at top-right, a grey navigation bar down the left edge (with thin black lines as section separators, and with simple black text), a grey nav bar down the right edge (with broad grey bars to separate sections, and with blue bulleted text), a grey background, a skewed 3D rendering of a product screen at page center, and a vivid colored bubble at top-center, linking to a product download. See the two screenshots below — antispyware.com on the left, and the official Microsoft Windows Defender download page on the right. These many visual similarities make it especially likely that a user at antispyware.com will mistakenly believe the site is an official Microsoft offering.
C-NetMedia’s Antispyware.com
Microsoft Windows Defender
Some C-NetMedia sites give users the false impression that they are bona fide informational sites rather than commercial advertisements. For example, Remover.org presents itself as a general-purpose spyware information site, but Remover.org actually promotes only one product — C-Net’s “AntiSpyware For Windows.” Furthermore, Remover.org claims to have “one goal and one purpose: to win the war on spyware” — suggesting a non-commercial purpose, when in fact Remover charges a fee for its removal program. The totality of these practices suggests that a user at Remover.org may reasonably think he is viewing an ordinary informational site and/or a source of unbiased reviews, when in fact the site is a C-Net advertisement.
Hindering Consumer Investigations through Use of Numerous Product Names and Domains
C-Net uses exceptionally many product names and domain names. My analysis indicates that the following products and domains all come from C-NetMedia:
The United States Patent and Trademark Office’s Trademark Search provides the brunt of my evidence that the listed sites are associated with C-Netmedia. Other evidence comes from the 73.32.242.168-175 network block that C-Net uses at Rackspace. (Rackspace also hosts all of the other listed C-Net sites. The 64.49.219.215 server is indeed a Rackspace server, despite its distant IP address.) My conclusion is bolstered by the many other similarities among these sites, including their common substantive theme, structure, layout, registration method, and advertising relationships and suppliers. Furthermore, the sites’ programs are largely similar — with identical detections, false-positives, and user interfaces.
An ordinary user would face substantial difficulty in determining that a given site is operated by C-NetMedia or in finding C-Net’s contact information. At a few of the sites, a user would at least find a street address in Whois. But the other domains all lack useful Whois data. Furthermore, while the listed web sites offer email and/or chat support, they all lack a phone number, mailing address, or even a legal name or place of incorporation. A user seeking to send a formal complaint therefore has no clear means to do so. Savvy users might notice a reference to C-NetMedia within a program’s license agreement. But these references appear only in the licenses shown by programs’ installers — not in the license agreements linked from the corresponding web sites. So these references to C-Net are especially hard to find after a user has already received C-Net software.
A user who manages to identify the C-Net company name, e.g. from trademark applications, is still substantially stymied in learning more about the company. The name “C-NetMedia” immediately suggests an association with CNET Networks, Inc., the well-known news site at www.cnet.com. In fact C-NetMedia and CNET Networks are entirely unrelated. But by choosing a name that matches an existing company, C-Net hinders attempts to learn more about its practices: Searches for “C-Net” overwhelmingly yield references to CNET Networks.
C-Net’s use of many names brings valuable benefits to C-Net but real costs to users: The numerous names prevent users’ unfavorable views of specific C-Net products (examples: 1, 2, 3, 4, 5) from easily spreading to other C-Net products. If C-Net had only a single product, users searching for that product would easily find the complaints of prior dissatisfied users. But by shifting from name to name, C-Net can abandon product names with unfavorable coverage, in each instance starting fresh with a new name. In this regard, C-Net’s approach is strikingly similar to Direct Revenue’s use of dozens of company and product names.
It seems C-Net sometimes uses the name 2squared to describe its offerings. The 2squared.com site claims to be the maker of at least some of C-Net’s products (including ErrorSweeper and RegClean). While C-Net’s trademark applications list one address in Mobile, Alabama (590 B Schillinger Road South, Suite 8), 2squared provides the adjacent suite 10.
C-Net’s trademark applications all list Erik Mv. Pelton as their attorney of record. Mr. Pelton’s tm4smallbiz.com site indicates that he is a bona fide trademark attorney with an office in Arlington, Virginia.
High-Pressure Sales Tactics and False Positives
C-NetMedia SpywareBot False Positives
Once a user installs C-NetMedia’s free trial software, C-Net resorts to high-pressure tactics to encourage users to make a purchase.
I tested C-Net’s SpywareBot on a clean PC running Windows XP with no service packs,. My test PC was supplemented only by the ordinary analysis tools I use to study spyware and adware infections. SpywareBot detected Regsnap, my registry change-tracking tool, as the “Absolute Keylogger.” Bold red “Warning” messages repeatedly alerted me to the supposed “43 parasites” on my computer, and a “toast”-style slider arose from the bottom-right corner of my screen. Perhaps this was just an ordinary false positive — a mistake that any security program can make. But C-Net’s error was unusually self-serving in that C-Net requires users to pay a fee — in this case $19.95 — before removing any of the items it detects.
C-Net’s many products mean extended further investigation would be required to fully determine the effectiveness and error rates of C-Net’s various programs. Due to the seriousness of the advertising practices described above, I have chosen to post this article without fully testing for such false positives or other deficiencies across all of C-Net’s programs and across a variety of test computers. I will update this article to link to any such research performed by others.
Other Anomalous Marketing Practices: Affiliate Programs, Certifications, and Logos
C-NetMedia’s marketing programs are striking in their generosity: C-Net offers its affiliates 70% commissions on users’ purchases. Such large commissions tend to suggest that charges to users bear little relationship to the underlying cost of providing the service. In particular, when a user arrives at C-Net’s site through an affiliate link, at least 70% of the user’s payment goes towards marketing costs. But if marketing receives 70% of revenue, relatively little remains to fund product design or other core business functions. A user might be better off with a free product — such as the free products with names nearly identical to the names C-Net selected.
C-NetMedia sites systematically and prominently tout certifications that are substantially irrelevant to the true attributes of C-Net software. For example, C-Net’s Adwarealert site boasts a McAfee HackerSafe logo. When this logo appears on a site offering security software, a user might reasonably think the logo means the site’s software will keep the user safe from hackers. But in fact HackerSafe signifies nothing of the kind: HackerSafe has merely checked the Adwarealert web server for a set of known security problems. C-Net’s use of the HackerSafe certification thus has the tendency to deceive, i.e. to leave users with an untrue impression of the certification’s significance.
Update (February 14, 11:30am): I notice that McAfee has withdrawn HackerSafe certification of C-NetMedia sites. C-NetMedia sites now show blank space where the logo previously appeared.
Adwarealert also features a Microsoft “Certified for Windows Vista” seal. Microsoft’s certification list confirms that Adwarealert did receive this certification. But it seems Adwarealert does not truly qualify for this certification because Adwarealert violates rule 1.11 of the Microsoft certification requirements, namely the requirement that a certified program comply with all applicable guidelines from the Anti-Spyware Coalition. The ASC’s Risk Model negatively characterizes incomplete or inaccurate identifying information; obfuscation; and misleading, confusing deceptive or coercive messaging or false claims to induce users to take action. By failing to readily provide accurate contact information, by using misleading product names, and by reporting false positives with a request for payment, Adwarealert violates each of these requirements. I therefore conclude that Adwarealert is ineligible for the “Certified for Windows Vista” certification.
C-NetMedia’s sites also feature unsubstantiated claims of product benefits. C-Net sites feature the following logos: “Guaranteed – 100% No Adware or Spyware”, “#1 Most Advanced Privacy Software”, “#1 Registry Cleaner”, “100% Safe and Secure”, “Total Privacy Protection,” “Most Advanced Anti-Spyware Detection,” and “World’s #1 Spyware Remover.” None of these claims contains, references, or links to any substantiation, documentation, or other supporting details. Some of these claims are presented in graphical form, i.e. in logos that appear to be endorsements or certifications. But C-Net gives no indication of any bona fide third party offering these endorsements; instead, the graphics seem to be C-Net’s own creation.
Work To Be Done
My analysis shows ample room for online advertising and security vendors to better protect users from C-NetMedia’s deceptive advertising practices:
Google and other search engines could block the widespread deceptive ads from C-NetMedia and its marketing partners. C-Net and its partners have continued these practices for more than a year. Google claims to be tough on malware, and Google does exclude some harmful organic search results. But Google has been ineffective in removing the false and deceptive ads shown above, among many others, despite ample complaints from users and security researchers.
McAfee could remove its Hacker Safe certification from C-NetMedia sites. At present, the McAfee logo gives users the false impression that McAfee endorses C-Net and the McAfee vouches for the effectiveness of C-Net’s software. I gather neither is truly the case. Indeed, McAfee’s HackerSafe certifies some C-Net sites at the same time that McAfee’s SiteAdvisor characterizes rates those same sites as red. In my view, the SiteAdvisor rating better describes the view of security experts and better serves typical users. (Disclosure: I serve as a member of the Board of Advisors of McAfee SiteAdvisor.) (Update, February 14, 11:30am: McAfee has withdrawn HackerSafe certification of C-NetMedia sites.)
Microsoft could withdraw its Certified for Windows Vista certification on the basis of C-NetMedia’s violations of various ASC rules, as cited above. Anticipating this kind of harmful marketing practices, Microsoft’s certification rules provide ample basis for excluding C-Net on the basis of its deceptive advertising. Microsoft’s concern should be particularly acute because C-Net copied the layout and format of the Microsoft Antispyware site, because C-Net marketing partners trade on Microsoft’s brand name and product names, and because C-Net products worsen the experience of Windows users (i.e. by charging a fee for security software, when Microsoft provides similar software for free).
ClickBank could eject C-NetMedia from ClickBank’s affiliate network due to the pattern and practice of false and misleading ads placed by ClickBank affiliates in their promotion of C-Net offers. ClickBank’s Client Contract specifically prohibits fraudulent, deceptive, false or misleading information in advertising messages (clause 7.n.), and Clickbank reserves the right to immediately suspend violators (9.d.). But at present, C-NetMedia seems to remain a ClickBank clent in good standing.
Thanks to security researcher Janie Whitty for references on C-NetMedia’s trademark registrations.
The information required to retrieve a customer’s purchase history
A customer’s purchase history – showing specific items and purchase dates
Sears Fails to Protect Customer Information
Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person’s purchase history by entering that person’s name, phone number, and address.
To verify a user’s identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer’s receipt, a loyalty card number, the date of purchase, or a portion of the user’s credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address — all information available in any White Pages phone book.
Neither does Sears even include any special instructions or obligations in its signup agreement with users: The ManageMyHome Terms of Use say nothing about what information users may access. Indeed, while Sears includes a small-type link to its Terms of Use, Sears never asks users to affirmatively accept the Terms.
These Disclosures Are Contrary to Sears’s Explicit Promises
Sears violates its privacy policy when it discloses users’ purchases to the general public. The Sears Customer Information Privacy Policy lists specific circumstances in which Sears may share customer information. These circumstances are relatively broad — allowing Sears to share customer data “with members of the Sears family of businesses … to provide … promotional offers that we believe will be of interest.” Disclosures are also permitted “to provide [users] with products or services that [they] have requested,” to “trusted service providers that need access to your information to provide operational or other support services,” to credit bureaus, and to regulatory authorities and law enforcement. But none of these provisions grants Sears the right to share users’ purchases with the general public.
Sears may argue that its web site privacy policy only applies to users’ online purchases, and does not govern purchases made in retail stores. Perhaps. But I doubt in-store customers expect their friends, neighbors, and the general public to be able to find out what they bought. I’m still trying to determine what privacy (if any) Sears promises its in-store customers.
Sears’s Privacy Breach in Context
Sears’s exposure of customer purchase history fits within a long history of unintended web site disclosures. For example, in October 2000 I showed that Buy.com’s return system was revealing customer names, addresses, and phone numbers at publicly-available URLs. But Sears’s disclosure is more troubling: Sears discloses the specific products users purchased. Sears’s disclosures apply to all users, not just those who return products. And Sears’s disclosures come some 7+ years after Buy.com’s breach — a period of great advance in online security.
The combination of data Sears provides could open the door to serious harms to Sears customers. ManageMyHome reports the specific products customers purchased, as well as the dates of each such purchase. With this information, a miscreant could approach a customer and pretend to be a Sears representative. Consider: “Your washing machine was recalled, and I need to install a new motor.” Or, “I’m here to provide the free one-year check-up on your dishwasher.”
Assessing Sears’s IT Strategy
The ManageMyHome site offers some useful services: Consolidated information about dates of purchase, clear listing of warranty status, and easy links to product manuals. Sears touted these benefits in its recent coverage of ManageMyHome.
But as soon as Sears resolved to provide online access to customers’ purchase histories, Sears staff should have recognized the need to determine which users are truly authorized to see this information. Sears’s failure to effecitvely authenticate users is therefore puzzling. Did Sears staff fail to notice the problem? Decide to ignore it when they couldn’t devise an easy solution to protect users’ purchase histories? Resolve to argue that purchase history merits no better protection than the current system provides?
Combining this privacy breach with Sears’s poorly-disclosed installation of ComScore tracking software, it appears that Sears is not effectively protecting its users’ and customers’ privacy. Perhaps that’s no surprise in light of Sears’s recent financial distress — a 99% drop in profits in third quarter 2007, compared with the third quarter of 2006. But users need not accept excuses for Sears’s lackadaisical treatment of their private information. No matter the company’s financial standing, Sears ought to comply with its stated privacy policy and treat user information with the care users rightly expect.
Sears’s Response
I wrote to Sears ManageMyHome via the addresses on their Contact Us page. To their credit, they responded quickly (less than ninety minutes). However, their reply does not address the seriousness of this situation. Their reply follows:
“We appreciate that you have a security concern. Thank you for taking the time to share your comments with us. We appreciate hearing feedback from our customers, and will pass this information to the appropriate area to research.”
Update (January 4, 5pm): Sears has disabled the search feature described above. Attempts to retrieve a purchase history now yield the message “We’re sorry, this feature is currently disabled.”
Thanks to an anonymous contributor, using pseudonym Heather H, for the tip that led to this article.
Late last month, Benjamin Googins (a senior researcher in the Anti-Spyware unit at Computer Associates) critiqued a ComScore installation performed by Sears’ “Sears Holdings Community” (“My SHC Community” or “SHC”). After reviewing the installation sequence, Ben concluded that the installation offered “very little mention of software or tracking” and otherwise fell short of CA and industry standards. I agree.
I write today to add my own critique. I begin by presenting the entire installation sequence in screenshots and video. I then explain why the limited notice provided falls far short of the standards the FTC has established. Finally, I show that Sears’ claims of adequate notice are demonstrably false.
The SHC Installation Sequence
The SHC installation proceeds in four steps:
1) An email from Sears after a user provides an address at Sears.com. In seven paragraphs plus a set of bullet points, 582 words in total, the email describes the SHC service in general terms. But the paragraphs’ topic sentences make no mention of any downloadable software, nor do the bullet points offer even a general description of what the software does. The only disclosure of the software’s effects comes midway through the fourth paragraph, where the program is described as “research software [that] will confidentially track your online browsing.” Sophisticated users who notice this text will probably abandon installation and proceed no further. But novices may mistakenly think the tracking is specific to Sears sites: SHC is a research program offered by Sears, so it is difficult to understand why tracking would occur elsewhere. Furthermore, the quoted text appears midway through a paragraph — in no way brought to users’ attention via topic sentences, headings, section formatting, or other labels. So it’s strikingly easy to miss.
2) If a user presses the “Join” button in the email, the user is taken to a SHC web-based installation sequence that further details SHC’s offerings. The first page describes some aspects of SHC in reasonable detail — with six prominent and clear bullet points. Yet nowhere does this text make any mention whatsoever of downloadable software, market research, or other tracking.
3) Pressing “Join” in the SHC screen takes a user to a “Welcome to My SHC Community” page which requests the user’s name, address, and household size. The page then presents a document labeled “Privacy Statement and User License Agreement” — 2,971 words of text, shown in a small scroll box with just ten lines visible, requiring fully 54 on-screen pages to view in full. The initial screen of text is consistent with the “privacy statement” heading: The visible text indicates that the document describes “what information [SHC] gather[s and] how [SHC] use[s] it” — typical subjects for a privacy policy. But despite the title and the first screen of text, the document actually proceeds to an entirely different subject, namely downloadable software and its far-reaching effects: The tenth page admits that the application “monitors all of the Internet behavior that occurs on the computer on which you install the application, including … filling a shopping basket, completing an application form, or checking your … personal financial or health information.” That’s remarkably comprehensive tracking — but mentioned in a disclosure few users are likely to find, since few users will read through to page 10 of the license.
Within the Privacy Statement section, a link labeled “Printable version” offers users a full-screen version of the document, requiring “only” ten on-screen pages on my test PC. But nothing in the Privacy Statement caption or visible text suggests that the document merits such thorough review. Due to the labeling and the first screen of text, few users will see any need to click through to the full-screen version.
4) A user next arrives at a screen labeled “You’re almost finished!” Clicking “Next” triggers an ActiveX screen offering an unnamed program, signed by a company called TMRG, Inc. (nowhere previously mentioned in the installation sequence), authenticated by Thawte (part of VeriSign). Pressing Yes in the ActiveX yields an installation program with no further opportunity to cancel installation. Packet sniffer analysis confirms that ComScore software is installed.
The FTC’s recent settlements with Direct Revenue and Zango explain the disclosure and consent required before installing tracking software on users’ computers. To install such software on users’ PCs, vendors must obtain “express consent” — defined to require “clear[] and prominent[] disclos[ure of] the material terms of such software … including the nature and purpose of the program and the effects it will have … prior to the display of, and separate from, any final End User License Agreement.” “Clear[] and prominent[]” installations are defined to be those that are “unavoidable”, among other requirements.
The Sears SHC installation of ComScore falls far short of these rules. The limited SHC disclosure provided by email lacks the required specificity as to the nature, purpose, and effects of the ComScore software. Nor is that disclosure “unavoidable,” in that the key text appears midway through a paragraph, without a heading or even a topic sentence to alert users to the important (albeit vague) information that follows.
The disclosure provided within the Privacy Statement and User License Agreement also cannot satisfy the FTC’s requirements. The FTC demands a disclosure “prior to … and separate from” any license agreement, whereas the only disclosure on this page occurs within the license agreement — exactly contrary to FTC instructions. Furthermore, users can easiliy overlook text on page ten of a lengthy license agreement. Such text is the opposite of “unavoidable.”
The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC’s installation of ComScore did nothing of the kind.
Other Installation Deficiencies
Beyond the problems set out above, the SHC installation also falls short in other important respects.
Failure to provide the promised additional information. Sears’ initial email promises that “during the registration process, you’ll learn more about this application software.” In fact, no such information is provided in the visible, on-screen installation sequence. Based on this false promise and users’ general experience, users may reasonably expect that the download link in step 4 will offer additional information about the software at issue, along with an opportunity to cancel installation if desired. In fact no such information is ever provided, nor do users have any such opportunity to cancel.
Choosing little-known product names that prevent users from learning more. The initial SHC email refers to the ComScore software as “VoiceFive.” The license agreement refers to the ComScore software as “our application” and “this application” without ever providing the application’s name. The ActiveX prompt gives no product name, and it reports company name “TMRG, Inc.” These conflicting names prevent users from figuring out what software they are asked to accept. Furthermore, none of these names gives users any easy way to determine what the software is or what it does. In contrast, if SHC used the company name “ComScore” or the product name “RelevantKnowledge,” users could run a search at any search engine. These confusing name-changes fit the trend among spyware vendors: Consider Direct Revenue’s dozens of names (AmazingMerchants, BestDeals, Coolshopping, IPInsight, Blackone Data, Tps108, VX2, etc.).
Critiquing Sears SHC’s Response
To my surprise, Sears defends the practices described above. In a reply to CA’s Ben Googins, Sears SHC VP Rob Harles claims that SHC “goes to great lengths to describe the tracking aspect.” In particular, Harles says “[c]lear notice appears in the invitation”, “on the first signup page”, and “in the privacy policy and user licensing agreement.”
I emphatically disagree. The email invitation provides vague notice midway through a lengthy paragraph that, according to its topic sentence, is otherwise about another topic. The first signup page makes no mention at all of any downloadable software. The privacy policy and license agreement describe the software only in the tenth page of text (where few users are likely to find the disclosures), and even then it fails to reference the program by name.
Harles further claims that the installer provides “a progress bar that they [users] can abort.” Again, I disagree. The video and screenshots are unambiguous: The SHC installer shows no progress bar and offers no abort button.
The Installation in Context
In June 2007, I showed other examples of ComScore software installing without consent — including multiple installations through security exploits. TRUSTe responded by removing ComScore’s RelevantKnowledge from TRUSTe’s Trusted Download Program for three months. Now that more than five months have elapsed, I expect that ComScore is seeking readmission. But the installation shown above stands in stark contrast to TRUSTe Trusted Download rules. See especially the requirement that primary notice be “clear, prominent and unavoidable” (Schedule A, sections 3.(a).(iii) and 1.(hh)).
Why so many problems for ComScore? The basic challenge is that users don’t want ComScore software. ComScore offers users nothing sufficiently valuable to compensate them for the serious privacy invasion ComScore’s software entails. There’s no good reason why users should share such detailed information about their browsing, purchasing, and other online activities. So time and time again, ComScore and its partners resort to trickery (or worse) to get their software onto users’ PCs.
Last November, Zango and the FTC announced a settlement of the FTC’s investigation of Zango’s practices. Among the key requirements: Zango agreed to install only after “clearly and prominently disclos[ing] the material terms [of its software] prior to the display of, and separate from, any [EULA].” Zango further agreed to label each of its ads with a “clear[] and prominent[]” marking as to the source of the ad, as well as a hyperlink to removal and complaint procedures.
Some of Zango’s installations do some of what the settlement requires. But others don’t. Today I’m posting a critique. In a series of screenshots, I show widespread Zango installations with no disclosure outside of a EULA. I also present numerous Zango ads appearing with no labeling at all. Details:
I present and critique pay-per-click ads that don’t deliver what they promise. I consider implications for search engine revenues, and I analyze legal and ethical duties of advertisers and search engines. I offer a system for others to report similar ads that they find.
Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?
As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges.
One scam Google doesn’t prohibit — and as best I can tell, does nothing to stop — is charging for software that’s actually free. Search for “Skype” and you’ll find half a dozen advertisers offering to sell eBay’s free telephone software. Search for “Kazaa” or “Grokster” and those products are sold too. Even Firefox has beentargeted.
Each and every one of these ads includes the claim that the specified product is “free.” (These claims are expressed in ad titles, bodies, and/or display URLs). However, to the best of my knowledge, that claim is false, as applied to each and every ad shown above: The specified products are available from the specified sites only if the user pays a subscription fee.
These ads are particularly galling because, in each example, the specified program is available for free elsewhere on the web, e.g. directly from its developer’s web site. Since these products are free elsewhere, yet cost money at these sites (despite promises to the contrary), these sites offer users a particularly poor value.
Often these sites claim to offer tech support, but that’s also a ruse: Tests confirm there’s no real support.
Although sophisticated users will realize that these sites are bad deals, novice or hurried users may not. These sites bid for top search engine placement — often appearing above search engines’ organic (main) results. Some proportion of users see these prominent ads, click through, and get tricked into paying for these otherwise-free programs. Claiming a refund takes longer than it’s worth to most users. So as a practical matter, a site need only trick each user for an instant in order to receive its fee.
The “completely free” ringtones that aren’t
Ringtone ads often claim to be “free,” “totally free,” “all free,” “100% complimentary,” and available with “no credit card” and “no obligation” required. These claims typically appear in pay-per-click ad bodies, but they also often appear in ad titles and even in ad domain names, of course along with landing pages.
Often, these claims are simply false: An ad does not offer a “totally free” product if it touts a limited free trial followed by an auto-renewing paid service (a negative option plan).
Other claims are materially misleading. For example, claiming “no credit card required ” suggests that no charges will accrue. But that too is false, since ringtone sites generally charge users through cell phone billing systems, unbeknown to many users who believe a service has no way to impose a charge if a user provides no credit card number.
Each and every one of these ads includes the claim that the specified product is “free” (or some other claim substantially similar, e.g. “complimentary”). In most cases, subsequent language attempts to disavow these “free” claims. But in each case, to the best of my knowledge, service is available only if a user enters into a paid relationship (e.g. a paid subscription) — the very opposite of “free.” (Indeed, the subscription requirement applies even to unlimitedringtones.com, despite that ad’s claim that “no subscription [is] required.” The site’s fine print later asserts that by requesting a ringtone registration, a user “acknowledge[s] that [he is] subscribing to our service billed at $9.99 per month” — specifically contrary to site’s earlier “no subscription” promise.)
Vendors would likely defend their sites by claiming that (in general) their introductory offers are free, and by arguing that their fine print adequately discloses users’ subsequent obligations. This is interesting reasoning, but it’s ultimately unconvincing, thanks to clear regulatory duties to the contrary.
The FTC’s Guide Concerning the Use of the Word ‘Free’ is exactly on point. The guide instructs advertisers to use the word “free” (and all words similar in meaning) with “extreme care” “to avoid any possibility that consumers will be misled or deceived.” The guide sets out specific rules as to how and when the word “free” may be used, and it culminates with an incredible provision prohibiting fine print to disclaim what “free” promises. In particular, the rule’s section (c) instructs (emphasis added):
All the terms, conditions and obligations upon which receipt and retention of the ‘Free’ item are contingent should be set forth clearly and conspicuously at the outset of the offer … in close conjunction with the offer of ‘Free’ merchandise or service.
In case that instruction left any doubt, the FTC’s rule continues:
For example, disclosure of the terms of the offer set forth in a footnote of an advertisement to which reference is made by an asterisk or other symbol placed next to the offer, is not regarded as making disclosure at the outset.
Advertisers may not like this rule, but it’s remarkably clear. Under the FTC’s policy, ads simply cannot use a footnote or disclaimer to escape a “free” promise made earlier. Nor can an advertiser promise a “free” offer at an early stage (e.g. a search engine ad), only to impose additional conditions later (such as in a landing page, confirmation page, or other addendum). The initial confusion or deception is too strong to be cured by the subsequent revision.
Advertisers might claim that the prohibited “free” ads at issue come from their affiliates or other partners — that they’re not the advertisers’ fault. But the FTC’s Guide specifically speaks to the special duty of supervising business partners’ promotion of “free” offers. In particular, section (d) requires:
[I]f the supplier knows, or should know, that a ‘Free” offer he is promoting is not being passed on by a reseller, or otherwise is being used by a reseller as an instrumentality for deception, it is improper for the supplier to continue to offer the product as promoted to such reseller. He should take appropriate steps to bring an end to the deception, including the withdrawal of the ‘Free’ offer.
It therefore appears that the ads shown above systematically violate the FTC’s “free” rules. Such ads fail to disclose the applicable conditions at the outset of the offer, as FTC rules require. And even where intermediaries have placed such ads, their involvement offers advertisers no valid defense.
Ads impersonating famous and well-known sites
Some pay-per-click ads affirmatively mislead users about who is advertising and what products are available. Consider the ads below, for site claiming to be (or to offer) Spybot. (Note text in their respective display URLs, shown in green type.) Despite the “Spybot” promise, these sites actually primarily offer other software, not Spybot. (Spybot-home.com includes one small link to Spybot, at the far bottom of its landing page. I could not find any link to the true Spybot site from within www-spybot.net.)
In addition, search engine ads often include listings for sites with names confusingly similar to the sites and products users request. For example, a user searching for “Spybot” often receives ads for SpyWareBot and SpyBoot — entirely different companies with entirely different products. US courts tend to hold that competitive trademark targeting — one company bidding on another company’s marks — is legal, in general. (French courts tend to disagree.) But to date, these cases have never considered the heightened confusion likely when a site goes beyond trademark-targeting and also copies or imitates another company’s name. Representative examples follow. Notice that each ad purports to offer (and is triggered by searches for the name of) a well-known product — but in fact these ads take users to competing vendors.
Google’s responsibility – law, ethics, and incentives
Google would likely blame its advertisers for these dubious ads. But Google’s other advertising policies demonstrate that Google has both the right and the ability to limit the ads shown on its site. Google certainly profits from the ads it is paid to show. Profits plus the right and ability to control yield exactly the requirements for vicarious liability in other areas of the law (e.g. copyright infringement). The FTC’s special “free” rules indicate little tolerance for finger-pointing — even specifically adding liability when “resellers” advertise a product improperly. These general rules provide an initial basis to seek greater efforts from Google.
Crucially, the Lanham Actspecifically contemplates injunctive relief against a publisher for distributing false advertising. 15 USC § 1125(a)(1) prohibits false or misleading descriptions of material product characteristics. § 1114 (2) offers injunctive relief (albeit without money damages) where a publisher establishes it is an “innocent infringer.” If facing claims on such a theory, Google would surely attempt to invoke the “innocent infringer” doctrine — but that attempt might well fail, given the scope of the problem, given Google’s failure to stop even flagrant and longstanding violations, and given Google’s failure even to block improper ads specifically brought to its attention. (See e.g. World Wrestling Federation v. Posters, Inc., 2000 WL 1409831, holding that a publisher is not an innocent infringer if it “recklessly disregard[s] a high probability” of infringing others’ marks.)
Nonetheless, the Communications Decency Act’s 47 USC § 230(c)(1) potentially offers Google a remarkable protection: CDA § 230 instructs that Google, as a provider of an interactive computer service, may not be treated as the publisher of content others provide through that service. Even if a printed publication would face liability for printing the same ads Google shows, CDA § 230 may let Google distribute such ads online with impunity. From my perspective, that would be an improper result — bad policy in CDA § 230’s overbroad grant of immunity. A 2000 DOJ study seems to share my view, specifically concluding that “substantive regulation … should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world.” But in CDA § 230, Congress seems to have chosen a different approach.
That said, CDA § 230’s reach is limited by its exception for intellectual property laws. § 230(e)(2) provides that intellectual property laws are not affected by § 230(c)(1)’s protection. False advertising prohibitions are codified within the Lanham Act (an intellectual property statute), offering a potential argument that CDA § 230 does not block false advertising claims. This argument is worth pursuing, and it might well prevail. But § 230 cases indicate repeated successes for defendants attempting to escape liability on a variety of fact patterns and legal theories. On balance, I cannot confidently predict the result of litigation attempting to hold Google responsible for the ads it shows. As a practical matter, it’s unclear whether or when this question will be answered in court. Certainly no one has attempted such a suit to date.
Notwithstanding Google’s possible legal defenses, I think Google ought to do more to make ads safe as a matter of ethics. Google created this mess — by making it so easy for all companies, even scammers, to buy Internet advertising. So Google faces a special duty to help clean up the resulting problems. Google already takes steps to avoid sending users to web sites with security exploits, and Google already refuses ads in various substantive categories deemed off-limits. These scams are equally noxious — directly taking users’ money under false pretenses. And Google’s relationship with these sites is particularly unsavory since Google directly and substantially profits from their practices, as detailed in the next section.
Even self-interest ought to push Google to do more here. Google may make an easy profit now by selling ads to scammers. But in the long run, rip-off ads discourage users from clicking on Google’s sponsored links — potentially undermining Google’s primary revenue source.
Who really profits from rip-off ads?
When users suffer from scams like those described above, users’ money goes to scammers, in the first instance. But each scammer must pay Google whenever a user clicks its ad. So Google profits from scammers’ activities. If the scammers ceased operations — voluntarily, or because Google cut off their traffic — Google’s short-run revenues would decrease.
Users service fees    Scammers   advertising fees Google
How Google Profits from Scammers
Consider the business model of rogue web sites “selling” software like Skype. They have one source of revenue — users buying these programs. Their expenses tend to be low: they provide no substantial customer service, and often they link to downloads hosted elsewhere to avoid even incurring bandwidth costs. It seems the main expense of such sites is advertising — with pay-per-click ads from Google by all indications a primary component. The diagram at right shows the basic money trail: From users to scam advertisers to Google. When users are ripped off by scammers, at least some of the payment flows through to Google.
How much of users’ payments goes to Google, rather than being retained by scammers? My academic economics research offers some insight. Recall that search engine ads are sold through a complicated multi-unit second-price auction: Each advertiser’s payment is determined by the bid of the price of the advertiser below him. Many equilibria are possible, but my recent paper with Michael Ostrovsky and Michael Schwarz offers one outcome we think is reasonable — an explicit formula for each advertiser’s equilibrium bid as a function of its value (per click) and of others’ bids. In subsequent simulations (article forthcoming), Schwarz and I will demonstrate the useful properties of this bidding rule — that it dominates most other strategies under very general conditions. So there’s good reason to think markets might actually end up in this equilibrium, or one close to it. If so, we need only know advertisers’ valuations (which we can simulate from an appropriate distribution) to compute market outcomes (like advertiser profits and search engine revenues).
One clear result of my recent bidding simulations: When advertisers have similar valuations (as these advertisers do), they tend to “bid away” their surpluses. That is, they bid almost as much as a click is worth to them — so they earn low profits, while search engines reap high revenues. When a user pays such an advertiser, it wouldn’t be surprising if the majority of that advertiser’s gross profit flowed through to Google.
A specific example helps clarify my result. Consider a user who pays $38 to Freedownloadhq.com for a “free” copy of Skype. But Freedownloadhq also received, say, 37 other clicks from 37 other users who left the site without making a purchase. Freedownloadhq therefore computes its valuation per click (its expected gross profit per incoming visitor) to be $1. The other 10 advertisers for “Skype” use a similar business model, yielding similar valuations. They bid against each other, rationally comparing the benefits off high traffic volume (if they bid high to get top placement at Google) against the resulting higher costs (hence lower profits). In equilibrium, simulations report, with 10 bidders and 20% standard deviation in valuations (relative to valuation levels), Google will get 71% of advertisers’ expected gross profit. So of the user’s $38, fully $27 flows to Google. Even if Freedownloadhq’s business includes some marginal costs (e.g. credit card processing fees), Google will still get the same proportion of gross profit.
One need not believe my simulation results, and all the economic reasoning behind them, in order to credit the underlying result: That when an auctioneer sells to bidders with similar valuations, the bidders tend to bid close together — giving the auctioneer high revenues, but leaving bidders with low profits. And the implications are striking: For every user who pays Freedownloadhq, much of the user’s money actually goes to Google.
In January I estimated that Google and Yahoo make $2 million per year on ads for “screensavers” that ultimately give users spyware. Add in all the other terms with dubious ads — all the ringtone ads, the for-free software downloads, ads making false statements of product origin, and various other scams — and I wouldn’t be surprised if the payments at issue total one to two orders of magnitude higher.
Towards a solution
Some of these practices have been improving. For example, six months ago almost all “ringtones” ads claimed to be “free,” but today some ringtones ads omit such claims (even while other ads still include these false statements).
Recent changes in Google pricing rules seem to discourage some of the advertisers who place ads of the sort set out above. Google has increased its pricing to certain advertisers, based on Google’s assessment of their “low quality user experience.” But the specific details of Google’s rules remain unknown. And plenty of scam ads — including all those set out above — have remained on Google’s site well after the most recent round of rule changes. (All ads shown above were received on September 15, 2006, or later.)
Google already has systems in place to enforce its Adwords Content Policy. My core suggestion for Google: Expand that policy to prevent these scams — for example, explicitly prohibiting ads that claim a product is “free” when it isn’t, and explicitly prohibiting charging users for software that’s actually free. Then monitor ads for words like “free” and “complimentary” that are particularly likely to be associated with violations. When a bad ad is found, disable it, and investigate other ads from that advertiser.
To track and present more dubious ads, I have developed a system whereby interested users can submit ads they consider misleading for the general reasons set out above. Submit an ad or view others’ submissions.
These problems generally affect other search engines too — Yahoo, MSN, and Ask.com, among others. But as the largest search engine, and as a self-proclaimed leader on ethics issues, I look to Google first and foremost for leadership and improvement.
Google’s (Non-)Response
When Information Week requested a comment from Google as to the ads I reported, Google responded as follows:
When we become aware of deceptive ads, we take them down. … We will review the ads referenced in this report, and remove them if they do not adhere to our guidelines.
A week later, these ads remain available. So Google must have concluded that these ads are not deceptive (or else Google would have “take[n] them down” as its first sentence promised). And Google must have concluded that these ads do adhere to applicable Google policies, or else Google would have “remove[d] them” (per its second sentence).
Google’s inaction exactly confirms my allegation: That Google’s ad policies are inadequate to protect users from outright scams, even when these scams are specifically brought to Google’s attention.
All identifications and characterizations have been made to the best of my ability. Any errors or alleged errors may be brought to my attention by email.
I thank Rebecca Tushnet for helpful discussions on the legal duties of advertisers and search engines.
Originally posted October 9, 2006. Last Updated: October 16, 2006.
Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?
As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges. For example, the ad at right claims to offer “100% complimentary” and “free” ringtones, when actually the site promotes a services that costs approximately $120 per year.
An example misleading ad, falsely claiming ringtones are “complimentary” when they actualy carry a monthly fee.
In today’s article, I show more than 30 different advertisers’ ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word “free”), or that make claims that are simply false. I then analyze the legal and ethical principles that might require search engines to remove these ads. Finally, I offer a mechanism for interested users to submit other false or deceptive ads they find.
When a stranger promises “you can trust me,” most people know to be extra vigilant. What conclusion should users draw when a web site touts a seal proclaiming its trustworthiness? Somesitesthatarewidelyregardedasextremelytrustworthy present such seals. But those same seals feature prominently on sites that seek to scam users — whether through spyware infections, spam, or other unsavory practices.
It’s no great surprise that bad actors seek to free-ride on sites users rightly trust. Suppose users have seen a seal on dozens of sites that turn out to be legitimate. Dubious sites can present that same seal to encourage more users to buy, register, or download.
But certification issuers don’t have to let this happen. They could develop and enforce tough rules, so that every site showing a seal is a site users aren’t likely to regret visiting. Unfortunately, certification don’t always live up to this ideal. Writing tough rules isn’t easy, and enforcing them is even harder. Hard-hitting rules are particularly unlikely when certification authorities get paid for each certification they issue — but get nothing for rejecting an applicant.
Today I’m posting Adverse Selection in Online “Trust” Authorities, an empirical look at the best-known certification authority, TRUSTe. I cross-reference TRUSTe’s ratings with the findings of SiteAdvisor — where robots check web site downloads for spyware, and submit single-use addresses into email forms to check for spam, among other automated and manual tests. Of course SiteAdvisor data isn’t perfect either, but if SiteAdvisor says a site is bad news, while TRUSTe gives it a seal, most users are likely to side with SiteAdvisor. (Full disclosure: I’m on SiteAdvisor’s advisory board. But SiteAdvisor’s methodology speaks for itself.)
What do I find? In short, nothing good. I examine a sampling of 500,000+ top web sites, as reported by a major ISP. Of the sites certified by TRUSTe, 5.4% are untrustworthy according to SiteAdvisor’s data, compared with just 2.5% untrustworthy sites in the rest of the ISP’s list. So TRUSTe-certified sites are more than twice as likely to be untrustworthy. This result also holds in a regression framework controlling for site popularity (traffic rank) and even a basic notion of site type.
Particularly persuasive are some specific sites TRUSTe has certified as trustworthy, although in my experience typical users would disagree. I specifically call out four sites certified by TRUSTe as of January 2006:
Direct-revenue.com – Makes advertising software known to become installed without consent. Tracks what web sites users visit, and shows pop-up ads. Historically, blocks many attempts at removal, automatically reinstalls itself, and deletes certain other programs from users’ PCs. Faces litigation by the New York Attorney General plus consumer class actions.
Funwebproducts.com – This site, among other Ask.com toolbar distribution points, installs a toolbar into users’ web browsers when users install smileys, screensavers, cursors, or other trinkets. Moves a user’s Address Bar to the right side of the browser, such that typing an address into the standard top-left box performs a search rather than a direct navigation. Promotes its toolbar in ads shown by other vendors’ spyware.
Maxmoolah.com – Offers users “free” gifts if they complete numerous sequential partner offers. Privacy policy allows sharing of user’ email addresses and other information with third parties. In testing, providing an email address to Maxmoolah.com yielded a total of 485 distinct e-mails per week, from a wide variety of senders.
Webhancer.com – Makes online tracking software, which I have personally observed is often installed without consent. Monitors what web sites users visit, and sends this information to Webhancer’s servers.
This is an academic article — ultimately likely to be a portion of my Ph.D. dissertation. So it’s mathematical in places where that’s likely to be helpful (to some readers, at least), and it’s not as accessible as most of my work. But for those who are concerned about online safety, it may be worth a read. Feedback welcomed.
In its response to my article, TRUSTe points out that Direct Revenue and Maxmoolah no longer hold TRUSTe certifications. True. But Maxmoolah was certified for 13+ months (from February 2005 through at least March 2006), and Direct Revenue was certified for at least 8 months (from April 2005 or earlier, through at least January 2006). These companies’ practices were bad all along. TRUSTe need not have certified them in the first place.
TRUSTe then claims that its own web site made an “error” in listing FunWebProducts as a member. TRUSTe does not elaborate as to how it made so fundamental a mistake — reporting that a site has been certified when it has not. TRUSTe’s FunWebProducts error was compounded by the apparent additional inclusion of numerous other near-identical Ask.com properties (Cursormania, Funbuddyicons, Historyswatter, Mymailstationery, Smileycentral, Popularscreensavers). TRUSTe’s error is particularly troubling because at least some of the erroneously-listed sites were listed as certified for 17 months or longer (from May 2005 or earlier, through at least September 12, when Google last crawled TRUSTe’s member list).
As to Webhancer, TRUSTe claims further tests (part of TRUSTe’s Trusted Download program) will confirm the company’s practices. But that’s little benefit to consumers who currently see Webhancer’s seal and mistakenly conclude TRUSTe has already conducted an appropriate review of Webhancer’s products, when in fact it has not. Meanwhile, I have personally repeatedly observed Webhancer’s bad installation practices day in and day out — including widespread nonconsensual installations by the notorious Dollar Revenue, among others. These observations are trivial to reproduce, yet Webhancer remains a TRUSTe certificate holder to this day.
Consumers deserve certifications that are correctly issued in the first place — not merely revoked after months or years of notorious misbehavior, and not mistakenly listed as having been issued when in fact they were not. TRUSTe is wrong to focus on the few specific examples I chose to highlight. The problem with TRUSTe’s approach is more systemic, as indicated by the many other dubious TRUSTe-certified sites analyzed in my dataset but not called out by name in my paper or appendix.
Consider some of the other unsavory sites TRUSTe has certified:
TRUSTe certifies numerous sites that most users would call spammers — like focalex.com (which sends users 320+ emails per week, in SiteAdvisor’s tests), yourgiftcards.com (147 emails per week), and everyfreegift.com (86). All three of these sites remain TRUSTe members listed on TRUSTe’s current member list.
TRUSTe continues to certify freecreditreport.com, which offers a “free” credit report that actually costs users $12.95/month if they don’t remember to cancel — a practice so misleading it prompted FTC litigation.
TRUSTe has certified Hotbar (now owned by 180solutions) and Hotbar’s Wowpapers.com site — advertising software that tracks users’ browsing and shows extra pop-ups.
TRUSTe even certified Gratis Internet, which was revealed to have sold 7.2 million users’ names, email addresses, home phone numbers, and street addresses, in specific violation of its privacy policy.
TRUSTe’s response claims that my conclusions somehow reflect SiteAdvisor idiosyncrasies. I disagree. I can’t imagine any reasonable, informed consumer wanting to do business with sites like these. TRUSTe can do better, and in the future, I hope it will.
I’m sometimes asked where I’m headed, personally and professionally. Posting a new academic article offers an appropriate occasion to explain. I’m still working on my economics Ph.D., having drafted several papers about pay-per-click advertising (bidding strategies, efficiency, revenue comparisons), with more in the pipeline. After that? An academic job might be a good fit, though that’s not the only option. Here too, I’d welcome suggestions.
On Tuesday, the New York Attorney Generalfiled suit against notorious spyware vendor Direct Revenue. In a detailed complaint, the NYAG alleged Direct Revenue surreptitiously installed spyware onto users’ computers and made its spyware exceptionally difficult to remove. The suit includes claims under New York’s General Business Law (prohibiting false advertising and deceptive business practices), New York’s Penal Law (prohibiting computer tampering), and New York’s common law prohibitions against trespass.
The NYAG’s complaint was accompanied by more than a thousand pages of exhibits and appendices. Some of these documents present the results of NYAG’s testing — narratives of misleading and nonconsensual installation, not unlike my own installation tests. But the NYAG also produced a treasure trove of documents: Internal Direct Revenue documents, records, and emails that present their strategy, intentions, and plans in great detail.
I have obtained these additional documents and posted them to a new page:
Some documents and findings of particular interest:
Revenues reported at $6.9 million in 2003, $39 million in 2004, $33 million in January-October 2005. 2004 expenses total only $13 million, for a profit margin of 66%.
Payments to Direct Revenue’s senior staff, totaling more than $27 million.
A list of distributors of Direct Revenue’s spyware, with the number of installations attributable to each.
Admission that Direct Revenue for a time sold a “majority” of its advertising through ad networks Traffic Marketplace and ValueClick.
Admission that Direct Revenue’s ads appear so frequently that they constitute “user abuse.” But reducing ad frequency lowers company revenues, so frequency stays high.
Admission that Direct Revenue previously tracked and transmited users’ GET and POST data — names, addresses, emails — and even sent this data to third parties Hitwise and Compete.com. Itemizes the specific personal information collected from online forms: first name, last name, e-mail address, street address, and zip code. Hitwise reports successfully analyzing and matching users’ IDs, genders, and phone numbers.
Instructs making Direct Revenue harder to remove, by deleting its entry from Control Panel’s Add/Remove Programs, because too many users were relying on that method to remove Direct Revenue.
Report of April-June 2005 payments from Yahoo, totaling more than $600,000 in those three months alone.
Installation by Direct Revenue of Ebates’ Moe Money Maker onto users’ computers.
Listing of Direct Revenue’s many names and shell companies, all used to confuse and deceive the public.
Complaints from Direct Revenue partners, such as Kazaa (which called Direct Revenue’s ads “purposefully confusing to the user”) and Integrated Search (which wanted Direct Revenue to include an uninstaller in Control Panel, as previously promised)
Threatening the Center for Democracy and Technology. Demanding revisions from CNET. Hiring an investigator to track anti-spyware researcher Webhelper, and planning tactics to intimidate him.
Claims I am “losing credibility in the industry” and calls me a “fanatic.”
Endorses NYAG’s suit against Intermix as an “important opportunity to draw a bright line between purveyors of spyware and legitimate behavioral marketing companies like Direct Revenue.”
Scores of complaints from users (1, 2, 3 , 4, 5, 6, 7, 8, 9) Direct Revenue staff call one complaining user an “idiot.”
Complaints from Direct Revenue’s investors get special handling. One investor worries that another member of his investment firm, former Secretary of the Treasury Bob Rubin, may learn of Direct Revenue’s practices.
Reports daily revenue per user at approximately $0.015 (one and one half cents per user per day). (Compare that revenue with the harm caused to users — the amount a typical user would be willing to pay not to have Direct Revenue installed.)
On Friday morning (February 17), I received a nonconsensual installation of 180solutions Zango software through a security exploit. I was browsing an ordinary commercial web site, when I got a popup from exitexchange.com (a major US ad network, with headquarters in Portland, Oregon) . The popup sent me to a third-party’s web site. (I’ll call that third party “X” for convenience. Details.) Then X ran a series of exploits to take control of my test PC, including using the widely-reported WMF exploit uncovered last month. Once X took control of my PC, X caused my computer to install and run 180solutions Zango software, among a dozen other programs. Notably, X fully installed 180’s Zango without me taking any action whatsoever — without me clicking “I agree,” “Yes,” “Finish,” or any other button of any kind. X installed 180’s Zango despite 180’s new “S3” protections, intended to block these nonconsensual installations.
Most aspects of this installation are remarkably standard. “Adware” installations through security exploits are all too common. And it’s not that unusual to see traffic flowing through an ad network — even a big US ad network.
But what’s newsworthy here is that 180solutions got installed, even though 180 last year told the world that these nonconsensual installations were impossible. Effective January 1, 2006, all 180solutions distributors were required to switch to 180’s “S3” installer. 180 claimed huge benefits from the new S3 system: 180’s October 2005 press release promised:
“The S3-enabled clients … mean[] 180solutions will own the entire experience from beginning to end on all installations of its products.”
180’s S3 Whitepaper(PDF) also falsely promises major benefits from S3:
“[I]nstallation cannot continue until the user gives consent.”
“Since the consent box comes directly from 180solutions, publishers are unable to turn it off.”
To the contrary, my video shows installation continuing even when a user does not consent. And my video shows a distributor faking a user’s click on the consent button.
See video of the nonconsensual installation of 180 Zango, including bypassing of the 180 S3 screen. (Note: Video has been edited to hide the identity of the installer at issue. Learn why. Within the video, yellow markup provides my comments and analysis.)
180’s S3 Technology and Its Design Flaws
180’s S3 installation system
Historically, 180’s installer programs have installed 180 software immediately, on the misguided assumption that 180’s distributors already obtained user consent. That approach is overly optimistic because 180’s distributors have no incentive to ask users’ permission: If distributors seek users’ permission, users might decline that unwanted offer, preventing distributors from getting paid by 180. So it comes as no surprise that many distributors have installed 180 without obtaining users’ consent. I have publicly posted at least five different videos showing such installations (1, 2, 3, 4, 5), and I have many more on file. Others have repeatedly found the same (1, 2, 3, 4, 5).
180’s S3 system seeks to address these nonconsensual installations by showing users a notice screen before 180solutions software installs onto their PCs. 180’s distributors are now supposed to run 180’s “stub” installer to display this notice screen; then users can choose whether or not to proceed. See example screen at right.
As a threshold matter, I don’t think 180’s S3 screen provides an accurate, truthful, complete disclosure of 180’s important effects. As I explained last month, the S3 screen oddly describes 180 only as showing “ads,” without mentioning that these ads appear in “pop-ups” — the essential characteristic reasonable users most need to know in order to decide whether they want 180’s software. The S3 screen also fails to describe the important privacy effects of installing 180’s software — that 180’s software will tell 180’s servers many of the sites users visit. The S3 screen does show a EULA — but it’s in an oddly-shaped box, and its text can’t be copied to the clipboard. Finally, the S3 screen labels its affirmative button “Finish” — even though the S3 screen is known to appear in circumstances where it is the first screen mentioning installation of 180’s software. A user cannot be asked to “finish” what he has not yet agreed to start; an “I agree” or “I accept” label would more clearly indicating the consent that the button is claimed to grant.
But beyond these important problems of wording and layout, the S3 installer also features a fundamental design flaw: Self-interested installers can easily bypass the S3 prompt. Installers can easily fake a click on the “Finish” button — just by simulating a single stroke of the “enter” key, or by simulating a click on a predictable button location. So faking a user’s consent is trivial — just a single Windows SendKeys API call.
Sure enough, my “X” installation reflects an installer using exactly these methods. In my video of X’s exploit-based installation of 180, the S3 notice was visible on screen for less than half a second — between 19.08 seconds and 19.57 seconds into the video. During that half-second, exploit-delivered software (installed on my test PC mere seconds before) pressed “Finish,” at which point 180 completed its installation, putting itself in my System Tray (next to the Windows clock), beginning to download its supplemental files, and beginning to monitor my web browsing.
180’s Bad Partners and 180’s Flawed Business Model
180 seems to intend its S3 installer to protect 180 and users from the untrustworthiness of 180’s distribution partners. 180 is right to think that S3 makes it somewhat harder for distributors to install 180 without getting users’ consent. But the increase in difficulty isn’t much — certainly not enough to deter any serious installer. Those who want to get paid for installing 180 will find that S3 presents at most a small speedbump; it’s hardly the airtight blockade 180’s press release claims.
For 180, the appropriate response to nonconsensual installations is not merely a small improvement in installer program design. Rather, 180 should rethink its entire distribution business model. 180 has repeatedly written about the “long tail” of distributors (1, 2, 3) — 180’s plan for thousands of different web sites installing 180’s software when users browse their materials, and thousands of different programs bundling 180. It’s an interesting vision, but in my view impractical and unwise. With so many distributors, 180 will be unable to assure that each distributor really does obtain consent — rather than cheating the system, as X did.
180’s October press release correctly describes the serious harms that occur when users receive many advertising programs. “A myriad of unwanted software … can often negatively impact system performance,” 180 admitted. But 180 then claimed that S3 would keep 180 out of such bundles. I disagree. According to my records, the installation at issue also installed Ad-w-a-r-e, Adservs, Integrated Search Technologies, Internet Optimizer, Media Tickets, New.net, Quicklinks, Surfsidekick, Tagasaurus, Targetsaver, Toolbar888, Ucmore, Webhancer, Web Nexus, WinFixer, and more. These many programs collectively bombarded my test PC with an incredible 730 registry keys, 1194 registry values, 461 files, and 43 file folders. Worse, the newly-installed programs caused 61 processes to run on my test PC, via 24 EXEs set to load each time I turned on my computer. The programs even added three different toolbars to my web browser. This overwhelming burden made it difficult even to inventory and track the programs’ additions and effects. So many co-bundled programs hardly satisfy the “prevent[ing] customers … from receiving a myriad of unwanted software” promise in 180’s press release.
Why “X” and an Obscured Video?
Long-time visitors to my web site may reasonably wonder: Why the markings in my screen-capture video? And why refer to the 180 distributor as “X,” rather than by its actual name and URL? After all, I’ve long provided video proof of my observations, and I’ve been naming names ever since my 2003 listing of advertisers using Gator (now Claria).
But I’ve run out of patience for being outside quality control staff for 180solutions. An episode last month was particularly instructive: Security company FaceTime found an AOL Instant Messenger worm that was installing 180solutions. 180’s response? After FaceTime reported the details, 180 trivialized the finding and issued a self-serving press release. Rather than admit that their software still becomes installed improperly, 180 danced around the issue and tried to use these wrongful installations to obtain a public relations benefit.
CDT‘s experience with 180 is similarly instructive. After two years of alerting 180solutions to its various bad practices, CDT recently ceased working with 180, instead electing to file a complaint with the FTC.
I too have decided no longer to share my work with 180solutions. As discussed in the preceding section, I have concluded that 180’s business model is fundamentally broken — that 180 cannot implement technology or enforcement to assure the proper installation of its software. Accordingly, just as CDT terminated its discussions with 180, I have resolved not to tell 180solutions which specific distributor was responsible for this installation.
Despite my decision not to work with 180 on resolving these installations, I will make my research available to those with a legitimate need to know. I expect to provide (and in some cases already have provided) this information to law enforcement officials considering action against 180solutions, to private attorneys in litigation against 180solutions, to members of the press seeking to verify my findings, and to other security researchers. Please contact me to request the original raw video file. As usual, I also retain full packet logs, raw screen-captures, registry change logs, filesystem change logs, HijackThis logs, Ad-Aware logs, and additional records.
Update (February 24): My Response to 180’s Press Release
180solutions has found and terminated the distributor I described above, which I’m now happy to reveal was crosskirknet.com. But what a road to get there! 180’s press release suggests 180 figured this all out within hours of my initial post. I’m convinced that that’s false. First, 180 terminated some other bad installer — only later realizing that the installer I found was someone different. Sunbelt has the details — how we figured out (and proved) that 180 hadn’t cut off this installer when 180 issued the press release saying they had. In a blog post, 180 now admits that we’re right and their press release was wrong. (Of course the right response to a false statement in a press release is a correction press release, not a mere blog post. Otherwise, many readers might get the press release, e.g. via the news wire, but never see the blog post.).
180’s press release claims that S3 “enabled the company to go back and re-message every user who received its software [from this nonconsensual installer] and provide them a one-click uninstall.” 180’s blog says the same: “We re-messaged each of [these] installs and provided … a one-click uninstall of our software.” In both documents, 180 writes in the past tense (“enabled”, “re-messaged”, “provided” ), seemingly indicating that these re-notifications have already occurred. But I have yet to receive any such prompt, despite substantial efforts to seek it out (e.g. by repeatedly restarting my test PC). I’ve also received many 180solutions ads on my infected test PC, despite 180’s claim that it “shut off all advertisements to all installs” from this distributor. So here too, I think 180’s statements are off-base. 180 may intend or aspire to provide renotifications, and 180 may intend to shut off ads. But by all indications, 180 hasn’t actually done so, at least not yet. I’ve confirmed my findings with Sunbelt; they haven’t seen this re-notification either, and they’re still getting ads too.
180’s press release quotes 180’s CEO as saying “No software is ever hack-proof.” I agree. But 180 has previously made public statements falsely indicating that its software is not susceptible to those who want to install 180 without consent. Recall 180’s S3 Whitepaper(PDF), explicitly stating “[I]nstallation cannot continue until the user gives consent” and “Publishers are unable to turn [the consent screen] off” (emphasis added). These are not claims of mere hopes or aspirations. No, 180 promised that installation “cannot” proceed without consent. But now that I’ve disproven 180’s claim, 180 tries to backpeddle and to weaken its unambiguous statement. The better approach would be to admit that 180’s prior promises went too far, and that 180’s software cannot actually deliver the benefits 180 previously described.
180’s press release concludes with a section 180 labels “a call for ‘responsible disclosure’.” Citing practice among those who find security vulnerabilities in widely-deployed software, 180 says researchers should tell 180 when they find nonconsensual installations of its software, rather than keep this information to themselves or provide it to law enforcement. I understand that 180 would like to receive this information, and I do follow responsible disclosure principles when I find software vulnerabilities. But responsible disclosure principles just don’t apply to records of nonconsensual installations.
Responsible disclosure principles seek to prevent hackers from taking advantage of newly-uncovered security vulnerabilities. If hackers learned about vulnerabilities before software vendors had time to prepare patches, users would face increased security risks, with few good options for protection. So responsible disclosure principles have a clear purpose and a clear benefit to users — which is why I followed these principles when I previously found vulnerabilities in widely-deployed software.
But what I uncovered, above, is not a security vulnerability. I didn’t find a new security hole, or a new way to take advantage of some existing hole. All I found was some bad guy who’s already using these methods — and who 180 has been prepared to pay for his efforts. There’s no heightened risk of harm to users from my reporting what’s already happening. Perhaps this particular bad actor got to continue his scheme for a few more days while 180 struggled to figure out who was responsible. But that’s the entire harm that resulted from my refusal to tell 180 what happened — that’s the usual, background, ongoing risk of harm; it’s not a heightened risk created by my disclosure itself. When I posted information about these nonconsensual 180 installs, I didn’t put users at special risk of any worm or exploit, in the way that responsible disclosure principles intend to prevent.
So where does this leave us? 180’s S3 system is still broken in all the ways I initially set out. 180’s press release made claims that can be shown to be false, as did 180’s prior statements of S3’s benefits, but 180 has not properly retracted its false statements. And 180’s analogies don’t add up. I’d still like to see 180 spend more time improving its practices, and less time on premature press releases and public relations.
Thanks to TechSmith for providing me with a complimentary license of its Camtasia Studio, the video annotation software I used to mark up my screen-capture video of this installation.