Ben Edelman

Featured Research

Now that Claria no longer comes bundled with powerhouse distributors Kazaa and Grokster, and now that Claria has even terminated its fake-user-interface banner ads, one might reasonably wonder: How does Claria get onto users' PCs? Last month I showed an example of Claria soliciting installations via banner ads served through other vendors' spyware (which in turn had become installed without consent). But even Claria's ordinary installations still fail to tell users what they reasonably need to know in order to make an informed choice.

In particular, Claria has removed disclosures that used to be reasonably prominent within its prior installations. Claria used to admit, within an ActiveX popup, that it shows "pop-ups." These days, that disclosure has been removed, replaced with the vague "GAIN-branded ads." So users can receive Claria software without first being told that Claria will give them extra pop-ups.

Seeking to clean up its image, Claria has tried to distance itself from competing "adware" vendors -- hiring a privacy officer, filing comments with the FTC, even setting up an anti-spyware site. It's no surprise that Claria wants little to do with other vendors in this space: Other vendors' entirely nonconsensual installations (1, 2, 3) are a magnet for criticism. These vendors even undercut Claria's pricing -- showing ads for as little as $0.015 per display, where Claria demands a minimum payment of $25,000 per ad campaign.

But despite Claria's dislike of "spyware" vendors who install advertising software without any notion of user consent, Claria funds and supports such vendors in at least two distinct ways. First, Claria pays spyware vendors to show Claria's own ads through their popups -- thereby recruiting more users to install Claria's advertising software. Second, Claria buys traffic from spyware vendors and uses this traffic to show ads for Claria's advertiser clients -- including merchants as reputable as Amazon.

So even as Claria reforms its own practices -- improving its installation methods and scaling back its controversial popups -- Claria is buying ads from others whose practices are far inferior.

The Pacimedia exploit's first screen. Notice no disclosure of specific programs to be installed.

New.net offers "navigation" software that, as best I can tell, few users actually want. So how does New.net maintain an installed base of users? I post a video showing New.net installed via security hole exploits, and I review a few of their other dubious installations.

Of course New.net isn't all that gets installed through this security hole exploit. In testing, the exploit asked me if I wanted to install 180solutions; I declined, but I nonetheless received 180 a mere twelve minutes later.

Affiliate networks offer an appealing promise for supporting free, independent content on the web: Any ordinary user can sign up to promote any interested merchant via a special affiliate tracking link. When a user clicks the link and makes a purchase from the merchant, the referring web site ("affiliate") gets a payment from the merchant. Since merchants only pay affiliates when users actually make purchases, merchants feel free to partner with smaller affiliate sites -- sites that might otherwise be too small or quirky to get advertisers' attention.

Affiliate Merchants
(i.e. Dell, Gateway, eLuxury, J&R)
money

viewers
Affiliate Networks
(i.e. LinkShare, Commission Junction)
money

viewers
Affiliates
money

viewers
Spyware Vendors
(i.e. 180solutions, Direct Revenue)

Despite the promise of affiliate marketing, these casual marketing arrangements entail serious risks. If merchants sign up affiliates without investigation or monitoring, merchants risk accepting partners with undesirable business practices. Consider an affiliate who sends spam, or whose site is so controversial that no reasonable merchant would want to be seen there. So, experienced merchants have learned, they must monitor their affiliates for these kinds of dubious behaviors.

Even more serious for most merchants, some affiliates promote merchants via unwanted advertising software -- "spyware." Some affiliates cause merchants' ads to cover competitors' sites -- a merchant's ad might appear through spyware without the merchant knowing about, intending, or requesting this result. Worse, affiliates can use spyware to steal commissions they haven't earned -- making tracking systems think users arrived at a merchant's site via an affiliate link, when users actually just typed in a merchant's domain name.

This piece proceeds in three parts. First, I show five specific examples of particular affiliates currently employing spyware to claim affiliate commissions, in apparent violation of applicable rules. (1, 2, 3, 4, 5) Second, I offer recommendations to concerned merchants. I conclude with recommendations for networks -- suggesting technology and policy to stop this problem in the long run.

Few advertisers have the gall to defend advertising through spyware. But Expedia is an exception.

Expedia subsequently claimed to have "rigorous standards" for advertising software, including "mak[ing] sure customers want [the] ads."

Despite Expedia's claims of user consent, Expedia advertises with numerous programs that don't always obtain user consent. For example, in my testing, Expedia advertises with 180solutions, Direct Revenue, and eXact Advertising -- each of which has been shown to be installed through security holes, repeatedly and recently, among other troubling behaviors.

Yahoo's Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo's network of advertisers. When users run searches at yahoo.com, Yahoo's advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn't just show advertisers' ads on yahoo.com; Yahoo also distributes advertisers' ads to Yahoo's various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers' ads to be shown by advertising software installed on users' PCs -- software typically known as spyware or adware. In my testing, Yahoo's support of spyware is widespread and prevalent -- an important source of funding for many spyware programs, bankrolling infections of millions of users' PCs. Were it not for Yahoo's funding of these programs, the programs would be far less profitable -- and there would be fewer such programs trying to sneak onto users' PCs.

Reading ShopAtHomeSelect's marketing materials, their advertising software might seem to present compelling benefits. SAHS promises users rebates on products they're already purchasing. And SAHS even offers reminder software to make sure forgetful users don't miss out on the savings. What could be better than timely reminders of free money?

But the SAHS site doesn't tell the whole story. My testing demonstrates that SAHS software is often installed without users wanting it, requesting it, or even accepting it -- through security exploits, nondisclosed bundles, ActiveX popups, IM tricks, and even bundles with porn videos. (Details.) When users receive an unwanted SAHS installation, SAHS still claims commissions on users' purchases -- but typical users will never see a penny of the proceeds. (Details.) Meanwhile, whether requested by users or not, SAHS's commission-claiming practices seem to violate stated rules of affiliate networks. (Details.)

Despite these serious problems, SAHS boasts a superstar list of clients -- the biggest merchants at all the major affiliate networks, including Dell, Buy.com, Expedia, Gap, and Apple. Why? Affiliate networks have little incentive to investigate SAHS's practices or assure compliance with stated rules. (Details.) SAHS and affiliate networks profit, but users and merchants are left as victims. (Details.)

Today's New York Times reports Microsoft "in talks" to buy Claria. Leading commentators think it's a bad idea (1, 2, 3, 4, 5, 6, 7, 8, 9, 10). I agree. In today's piece, I explain why this isn't just a bad value for Microsoft, but also a dubious ethical choice, and an approach with serious risks for users who look to Microsoft for protection from spyware.

Meanwhile, Microsoft's Anti-Spyware offering now recommends that users "ignore" Claria's presence on their PCs. See image at left.

180solutions today announced its plan to show its users "notification" popups describing some of 180's practices -- thereby, in 180's view, obtaining users' "informed consent." In principle, a re-opt-in might let 180 obtain users' consent even where initial installations had somehow failed to do so. But 180's notification message is so flawed and so duplicitous that it can't offer the legitimacy 180 purportedly seeks.

180's notification screen makes numerous false statements. For example, it claims that user consent is "required" before 180 can be installed -- despite evidence (1, 2, 3) and admissions (1, 2, 3, 4) to the contrary. And the screen claims that all 180 ads are labeled, again despite 180's own admission that they're not. Details.

Furthermore, 180's notification is presented in a way that fails to obtain any notion of "consent." The notification doesn't ask for consent, and it doesn't seek or require a manifestation of consent (e.g. pressing a button). Users wanting to remove 180 must take steps far longer than those to install 180. Details.

Meanwhile, even 180's new stub installers don't obtain meaningful informed consent. 180's stub installer covers and obscures much of 180's license, and 180's stub installer (like its notification screen) fails to reasonably explain what 180 is or what it does. Details.

More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

Google's "Software Principles" set out reasonably high standards for notice and consent to install advertising software. And Google's "Principles" strongly discourage doing business (even indirectly) with companies that violate these rules. But apparently Google wants others to do as they say, not as they do. In practice, Google has large relationships with companies widely violating these rules.

In More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars, I offer two separate examples of Google partners who break Google's Software Principles rules. First, Ask Jeeves. AJ's toolbars are sometimes installed without any consent at all. But even when users supposedly consent, installation procedures are often seriously deficient. For example, users who download iMesh get an AJ toolbar too -- though the only way to find out is by scrolling to page 27 of iMesh's license. These practices notwithstanding, Google's payments to AJ apparently total hundreds of millions of dollars per year.

PPC advertisers
money

viewers
Google AdWords
money

viewers
Go2Net
money

viewers
IBIS WebSearch

Second, the IBIS WebSearch toolbar installs in a variety of ways that don't meet Google's standards -- including security exploits, poorly-disclosed bundles, and ActiveX popups. But IBIS also shows many Google ads, obtained from Google through InfoSpace's Go2Net.

I see at least two distinct problems here. First, Google's payments are helping to fund purveyors of unwanted software -- making the spyware problem that much larger. Second, even advertisers who hate spyware are inadvertently advertising through these channels -- intending to rely on Google's promise of "high-quality" partner sites, although this promise may be overly optimistic.

Perhaps Google will make excuses for its so-called "partners." But the company's "don't be evil" slogan and its Software Principles document suggest another possibility: That Google entirely disassociate itself from those who use tricky practices to get their advertising software onto users' PCs. Stay tuned.

When unwanted programs ("spyware" and others) sneak onto users' computers, their main goal is often to show extra ads. If a vendor's program steals users' credit card numbers or social security numbers, the vendor will get in real trouble. But, historically, software vendors have been able to show extra ads with impunity.

PPC advertisers
money

viewers
Google (AdWords)
money

viewers
AdSense sites
money

viewers
180solutions

Where do these ads come from? What companies are willing to support the advertising software that users so despise? It turns out some of the world's biggest companies are advertising in this way -- either intentionally or because they can't control their ad buying processes. In 2003, I posted a list of some of Gator's then-biggest advertisers, work that PC Pitstop updated in 2003 (using Claria's S1 filing). More recently, I've posted a list of substantially all eXact advertising advertisers. More to come.

These advertisers aren't working in a vacuum. Quite the contrary: Many of their ads appear through spyware only thanks to major ad intermediaries that facilitate, intermediate, and track those placements, and that assist in the associated payments.

My new Intermediaries' Role in the Spyware Mess presents the ad intermediaries who are involved. Big ad networks and tracking services like Atlas DMT and DoubleClick help with thousands of 180solutions' ads. But the biggest surprise is Google: Of 180's current 88,000+ ads, some 4,678 (>5%) show embedded Google ads.

Last week Sunbelt announced that Hotbar sent Sunbelt a Cease and Desist letter, apparently demanding that Sunbelt stop detecting Hotbar software and offering users an option to remove it. I immediately updated my Threats page. But then I started wondering: How does Hotbar get onto users' PCs? And what does Hotbar do once installed?

My new Hotbar Toolbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Installation practices occupied center stage at last week's CNET Download.com's anti-spyware conference. Many of the companies whose installation practices I've criticized attempted to defend those practices or deflect attention from them. But their explanations and excuses don't stand up to critical examination.

My new article today proceeds in four parts. First I look at more Claria installations targeting kids -- their focus on children even more transparent than the examples I posted previously. Next I critique the recent denial of IAC CEO Barry Diller of any liability by Ask Jeeves; I argue that nonconsensual installations could be wrongful in and of themselves, even when not associated with "adware." Then I compare 180's actual practices with its statements to the press and with the claims on its web sites. Finally, diverging a bit from the theme of installation practices, I discuss Direct Revenue's commission-skimming -- and note that DR apparently just got caught by the largest affiliate network.

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like "accessible directly from your browser" rather than explicitly admitting that it will install a web browser toolbar.

But that's not the worst of AJ's practices. Over the past six months, I've captured a series of videos showing Ask Jeeves' MyWay and MySearch software installed through security holes -- without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar -- without me ever requesting anything, and without me ever clicking "Yes" or "Accept" in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. Video also shows installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network -- Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I'm surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.

It's Monday morning, so time for more misleading installations. Just like last week, I couldn't stop at only a single example; again I'm providing two.

PacerD's misleading pop-ups ask users to "please click yes" to accept "free browser enhancements." In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD's mislabeled (apparent, purported) license agreement, which in turn is only shown at a user's specific request. But click "Yes" once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

As usual, Claria's approach is somewhat more subtle. When Claria bundles its advertising software with the "Dope Wars" video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few "Dope Wars" players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they'll do so without first understanding what Claria will do to their PCs.

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria's interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users' computers into advertising channels -- tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

"Adware" companies say their businesses are predicated on user consent. (Claria: "... consumers who agree ... "; 180: "permission-based ... opt-in"). Notwithstanding, companies' claims, there's no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don't understand what they're getting -- due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they "accepted" these programs.

Ezone.com, a site targeting children, that nonetheless promotes 180solutions.

Can we say that a user "consents" to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If "authorizing" the installation required only that the user click on an ad, then click "Yes" once? If the program's license agreement was shown to the user only after the user pressed "Yes"? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently and repeatedly described as removing advertisements? Where the installation description uses euphemisms like "show ... sponsor websites" but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I'm not inclined to say that consumers "consent" to the resulting ads and to the resulting transmission of personal information.

So-called "adware" companies say nonconsensual installations of their programs are just an "urban legend." (See section 7 of 180's claims in a recent interview.) But when I talk to users whose computers have become infected, I'm consistently told that they don't know how they got the unwanted programs, and they say they certainly didn't consent. How can we understand this divergence? How are users PCs receiving this unwanted software?

My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users' computers. Some installations rely on tricking users -- for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want -- sometimes telling users what they're getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits -- without any user consent at all, thanks to defects in users' web browsers or other software. (See the security hole video and write-up I posted last fall.)

There's lots to be done in documenting how unwanted software gets onto users' PCs. My Installation Methods page indexes my work to date, to the extent it's posted online. But I have much more documentation still to be posted -- for example, scores more videos showing security exploits. I'll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I'm still looking! Send suggestions.)

Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs. Even diligent users ultimately have no way to know in advance what 3D will install on their PCs.

Today I'm also starting what I intend to be a series of weekly updates to my site -- tentatively entitled "misleading installation of the week." Sometimes I'll show massive security hole exploits that render users' computers nearly useless, but sometimes I'll post more "ordinary" infections that "merely" show extra ads or send users' browsing habits to a remote server. At every turn I'll emphasize the trickery common to most installation methods -- the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to "accept" software that offers them little or no genuine benefit.

I'm starting this series with 3D Desktop's Misleading Installation Methods. 3D's Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what's included, users must puzzle through a dizzying array of licenses -- scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don't track users' behavior, but my hands-on testing proves otherwise.

Interestingly, BlazeFind's license states that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to "clean up" its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.

The past three months have brought a dramatic spike in threats, demand letters, and "requests" -- sent from companies who make unwanted software (some might call the programs spyware) to those who detect, remove, block, or write about these programs.

Threatening or suing critics isn't a new idea. Claria made headlines in September 2003 when it filed suit against PC Pitstop, alleging unfair business practices, trade libel, defamation, and interference with contract arising out of PC Pitstop's description of Claria's software. But with more and more threats with each passing week, it's becoming hard even to keep track of the accusations. I've therefore put together a new table listing complainants, targets, and summarized demands.

I've repeatedly seen software from eXact Advertising installed through security holes, in poorly-disclosed bundles, or otherwise without meaningful (or any) notice and consent. What kind of advertisers would support a company that gets on users' PCs in these ways? I was surprised to find scores of well-known firms promoted by eXact -- including Apple, Chase, Circuit City, Dell, Expedia, Netflix, and Vonage. Cross-referencing eXact's partner list with TRUSTe's member list, I found 85 matches.

My full article gives screenshots of eXact's ads, along with information about the triggers that cause eXact to display certain ads. I also discuss how eXact manages to promote some merchants and to receive payments from such merchants without those merchants having specific knowledge of what is occurring, nor giving their explicit consent.

Request a peer-to-peer filesharing program, and you may be surprised what else gets installed too. I've tested five major P2P programs and analyzed their bundled software. Licenses stretch to as long as 22,000+ words and 180+ on-screen pages. Some P2P apps add additional programs disclosed only in license agreement scroll boxes. And it's not uncommon for a P2P app to create thousands of registry entries. But at least one major P2P program bundles no extra software at all.

My full article analyzes what programs come with what extra software. I have also posted screen-shots of each screen of the lengthy license agreements, and I've noted scores of license anomalies such as broken links, missing section-heading formatting and line breaks, important omissions, and surprisingly one-sided substantive provisions.

Notwithstanding Google's lofty claims about principles for software notice and consent, certain pages at Google's Blogspot service show misleading popups that try to trick users into installing unwanted programs. If a user gets tricked into pressing "Yes" once, the user often receives extra web browser toolbars and extra popups, along with programs that transmit information about what web sites the user visits. These problems have continued for months, but Google has yet to take the simple action of blocking the JavaScript that lets these popups appear.

These aren't nice practices, so I suppose it comes as no surprise that someone -- perhaps some group or company that doesn't like what I'm writing -- has sought to knock my site offline. For much of Monday and Tuesday, as well as several hours last week, all of benedelman.org was unreachable. My prior web host, Globat, tells me I was the target of the biggest DDoS attack they've ever suffered -- some 600MB+/second.

DDoS attacks continue, but I'm fortunate to be back online -- entirely thanks to incredible assistance from Paul Vixie of the Internet Systems Consortium. You may know Paul as the author of Bind or as co-founded of MAPS. (Or just see his Wikipedia entry.) But he's also just an all-around nice guy and, apparently, a glutton for punishment. Huge DDoS attack? Paul is an expert at tracking online attackers, and he's not scared. A special thanks to his Operations, Analysis, and Research Center (OARC) for hosting me. In any case, I apologize for my site's inaccessibility yesterday. I think and hope I've now taken steps sufficient to keep the site operational.

Meanwhile, there's lots of spyware news to share. I now know of fourteen different states contemplating anti-spyware legislation -- a near-overwhelming list that is partiucularly worrisome since so many bills are silent on the bad practices used by the companies harming the most computer users. (Indeed, seven of the bills are near-perfect copies of the California bill I and others have criticized as exceptionally ineffective.) At the same time, federal anti-spyware legislation continues moving forward -- but in a weak form that I fear does more harm than good.

Then there's COAST's dissolution -- to my eye, the predictable result of attempting to certify providers of unwanted software when their practices remain deceptive. It's reassuring to see Webroot standing up for consumers' control of their PCs, though surprising to see Computer Associates defend COAST's certification procedure as "valuable." Now that Webroot and CA have withdrawn from COAST, COAST seems bound to disappear -- probably better for users than a COAST that continues certifying programs that sneak onto users' PCs.

The final surprise of last week's news: Technology Crossover Ventures joined in a $108 million round of VC funding for Webroot. Wanting to own a piece of Webroot is perfectly understandable. But Private Equity Week recently reported TCV as among investors in Claria, a provider of advertising software that Webroot removes. (See also other investors supporting spyware.) How can TCV fund both Claria (making unwanted software) and Webroot (helping users remove such software)? TCV seems aware of the issue: They've recently removed Claria from their Companies page. But other sources -- periodicials, Archive.org, and the Google cache -- all confirm that the investment occurred. (I made screen-shots for good measure.)

For three years, users have faced an onslaught of "drive-by downloads." These popups appear while users browse unrelated web sites, and they install unwanted programs if users merely click "yes" once, without even being shown a license agreement. Microsoft has blocked most drive-by popups with its new Windows XP Service Pack 2, but users with older operating systems still face these deceptive installation attempts.

Who can help fix this problem? VeriSign. Before an ActiveX popup can install software onto a user's computer, the installer must be validated by its digital signature. If VeriSign revoked the digital certificates used by clear wrongdoers -- those with invalid purported company names, or with outrageously deceptive installation practices -- users wouldn't face the misleading popups.

Will the new year bring effective, tough federal anti-spyware legislation? Congress's attempt to block spam, the CAN-Spam Act, was by most reports unsuccessful. But I think Congress could do better with spyware. Spammers tend to be small, fly-by-night operations -- hard for lawyers and courts to find and stop. In contrast, many spyware companies have fancy headquarters and major investors. (See my recently-released list.)

So tough anti-spyware legislation could find and stop the biggest spyware offenders. Unfortunately, from what I've seen so far, any new anti-spyware law will be surprisingly lax. The major effort so far is Rep. Mary Bono's recently-reintroduced SPY Act (H.R.29). Her intentions are surely good, and Reuters has called her bill "tough." But as I read the bill, it's riddled with loopholes and almost certain to be ineffective.

The anti-spyware community has been abuzz all weekend with the news of spyware company 180solutions joining the Consortium of Anti-Spyware Technology (COAST). What's the big deal? My 180 Talks a Big Talk, but Doesn't Deliver identifies three major problems:

Recent news reports, press releases, and other documents have chronicled investments in companies making spyware. I've gathered and organized these documents into a single table, to be updated as new information becomes available. See my new Investors Supporting Spyware.

Among the highlights of my winter holiday reading was a MediaPost interview of Reed Freeman, chief privacy officer of Claria. Freeman makes a series of claims about Claria's practices -- setting out high standards that he claims Claria already meets. As it turns out, his claims are in multiple instances verifiably false.

For example, Freeman claims Claria has "the intuitive and standard Windows uninstall process." I disagree. Install Claria software in a bundle with Kazaa, and there will be no "Claria," "Gator," or "GAIN" listing in Control Panel's Add/Remove Programs. Same for the other programs that bundle Gator (like DivX and Grokster). Instead, users who want to remove Gator are required to figure out that they need to select the "Kazaa" entry in Add/Remove Programs. That's neither intuitive nor standard.

My full article offers multiple additional examples of false claims in Freeman's interview. I document his errors with screenshots and quotes, and I compare Claria's actual behavior with the better practices of selected competitors.

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there's yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters certain special media files, it opens web pages specified by the files' creator. I recently tested one such file, which opens a deceptive popup that attempts to install software on a user's PC. If a user is tricked into pressing Yes once -- in response to the program's false claim that a user "must" accept it -- the program fills the user's computer with unwanted programs. In my testing, some 31 programs, 786 files, and 11,915 registry entries were added in a matter of minutes.

I've long been a fan of online shopping site Ebates. Sign up for their service, visit their web site, click through their special links to merchants (including merchants as distinguished as Dell, Expedia, IBM, and L.L. Bean), and earn a small cash back, generally a few percent of your purchase.

But another side of Ebates' business has become controversial: Ebates uses a software download called "Moe Money Maker" (MMM) to automatically claim merchants' affiliate commissions, then pay users cash back -- even if users don't visit Ebates' web site, and even if users don't click through Ebates' special links. Why the controversy? I see at least two worries: 1) Aggressive installations -- including installation through security holes without any user notice or consent, as shown in a video I made last month. 2) Breaking affiliate networks' rules to claim commissions that would otherwise go to other affiliates.

For companies making programs that show users extra pop-up ads, one persistent problem is that users are bound to take action once their computers get too clogged with unwanted software. Find a removal tool, hire a technician, reinstall Windows, buy a new computer, or just stop using the Internet -- whatever users do, the pop-up companies won't make any more money if users don't keep surfing, and don't keep clicking the ads. The problem is all the worse because so many unwanted programs install others. So if a user has one program showing extra pop-ups, the user might soon have five more.

What's an "adware" company to do? Direct Revenue has one idea: Delete its competitors' programs from users' hard disks. With the other programs gone, users' computers will run more or less as usual -- showing some extra ads from Direct Revenue, but perhaps not attracting so much attention that users take steps to remove all unwanted software.

I've observed the removals Direct Revenue's EULA seems to anticipate -- and I've even made videos and packet-logs of my findings. I'm not the only one to notice what's happening: I've just received a copy of a lawsuit filed by Avenue Media, complaining that Direct Revenue is "systematically deleting Avenue Media's Internet Optimizer without users' knowledge or consent."

Gator has previously received extensive criticism for confusing installations, for difficult uninstalls, for transmission of personal information, and for covering web sites with their competitors' advertisements. More recently, Gator has taken steps to portray itself in a more positive light: Gator changed its name to Claria, hired a former FTC staff attorney as chief privacy officer, and even supported anti-spyware legislation. (But see my criticism of the law as ineffective.)

Has Gator turned over a new leaf? For insight, I turned to Gator's license agreements, to see how Gator currently presents itself to ordinary users.

Buried within Gator's 5,936 word, 63-page license are some surprises. While purporting to defer to "user choice," Gator prohibits removal of its software using third-party tools like Ad-Aware and Spybot. Gator also bars users from examining what data Gator transmits over users' Internet connections.

The 'printable version' link, present in old Kazaa installers but no longer available.

What's missing from Gator's license is almost as notable as what's there: For one, Kazaa's current Gator installer no longer offers one-click access to searchable, printable license text. For another, the installer lacks the bold type and line breaks that previously identified section headings within Gator's license. In addition, although Gator calls itself an adware company, the word "adware" appears nowhere in the license. Even the phrase "pop-up ad," seemingly describing the core of Gator's business, is used in the license only once, there referring to pop-up surveys, not to advertising.

I've written before about unwanted software installed on users' computers via security holes. For example, in July I mentioned that 180solutions software was being installed through Internet Explorer vulnerabilities. (See also 1, 2, 3) More recently, researchers Andrew Clover and Eric Howes (among others: 1, 2) have described increasing amounts of unwanted software being installed through security holes.

How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site? I set out to see for myself -- by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still -- with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.

In my testing, at least the following programs were installed through the security hole exploit: 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy, ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates (a TopMoxie distributor), WinAD, and WindUpdates. (All programs are as detected by Ad-Aware.) I have reason to believe that numerous additional programs were also installed but were not detected by Ad-Aware.

See a video of the installations. The partial screen-shot at right shows some of the new directories created by the security exploit.

Other symptoms of the infection included unwanted toolbars, new desktop icons (including sexually-explicit icons), replacement desktop wallpaper ("warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.)), extra popup ads, nonstandard error pages upon host-not-found and page-not-found error conditions, unrequested additions to my HOSTS file, a new browser home page, and sites added to my browser's Trusted Sites zone.

When users agree to install Grokster, Grokster adds an exceptional bundle of 15+ programs. But Grokster also installs some of these unwanted programs even when users press CANCEL. Meanwhile, Claria's license is longer than ever. Worst of all, proposed federal legislation is weak and would largely allow these practices to continue.

Governor Schwarzenegger recently signed into law SB 1436 ("Computer Spyware"), a California bill that speaks to certain programs installed on users' computers. The bill admittedly speaks to programs that trick users, harm users, and take advantage of users. But its scope is so limited and its protections are so weak that this law is worse than no law at all. The bill lets Claria's practices -- including its lengthy and confusing license -- continue unmodified, so it's no surprise that Claria actually supports this approach.

Software from 180solutions opens double and hidden windows to claim affiliate commissions when users make purchases from targeted merchants.

Ever wonder who advertises on WhenU? A few reporters have tried to figure this out but have been stymied: Few companies care to talk about their use of Claria or WhenU. (WSJ [paid registration required], BusinessWeek).

So I thought I'd put together a list of all of WhenU's current advertisers -- all the companies showing graphical ads (not just sponsored link text) on WhenU's system. There are 234 distinct advertisers, by my count. The biggest advertisers (by advertisement count) are Priceline (51 ads), J.P. Morgan Chase (43), Casino On Net (37), Verizon (28), Orexis (24). Major advertisement categories:

Further down the list, 102 ads for insurance, 99 for sexual health (mostly Viagra and similar products) and even some ads for online psychics and online cigarette sales.

After closing arguments, Judge Fratto granted WhenU's Motion for Preliminary Injunction, enjoining current enforcement of the Spyware Control Act. Ruling from the bench, Judge Fratto stated that he was not persuaded that WhenU had satisfied the requirements of showing a substantial likelihood of prevailing on the merits of its constitutional challenge as to the spyware provisions of the Act, but that WhenU had satisfied such showing regarding the context-triggered pop-up ads provision. Nonetheless, Judge Fratto enjoined enforcement of the act in its entirety. See transcript of ruling.

For my perspective on the factual portion of the hearing, June 10-11, see Report from WhenU v Utah.

In April I mentioned WhenU's suit against the state of Utah, challenging Utah's recent Spyware Control Act. Oral argument took place yesterday and today as to WhenU's motion for preliminary injunction.

Lots of companies have a puzzling relationship with spyware. For example, a recent eWeek article pointed out the complexities in Yahoo!'s relationship with Claria: My research of last year found that yahoo.com is the the single most targeted domain of the many thousands Claria targets with its context-triggered popups. More recently, Yahoo! released a toolbar that uninstalls Claria software. These facts suggest that Yahoo! would dislike Claria and would actively oppose Claria's activities. Nonetheless, Yahoo! remains a major supplier to Claria (via Yahoo!'s Overture sponsored link service, which reportedly provides 30% of Claria's revenue, per Claria's S-1 filing).

Even more puzzling, Dell both suffers from spyware and receives web traffic from Claria's advertising services. In recent comments to the FTC (PDF page 70), Dell's Maureen Cushman reported that spyware is Dell's "number one call driver" as of late 2003, and that spyware is responsible for as much as 12% of calls to Dell tech support.

Nonetheless, my testing shows that Dell UK ads run on the Claria ad network. See the ad shown at right (among several other ads also from Dell UK), which I received while viewing the IBM.COM site. My further testing indicates that Claria shows several Dell UK ads when users visit the sites listed below (perhaps among others). (Note that users might have to visit particular parts of the sites listed here -- i.e. the computers section of amazon.co.uk, not just other parts of the Amazon site.)

Dell staff tell me that the ads were unauthorized, placed by an affiliate without Dell's permission. My inspection of the ads (and their link destinations) is consistent with this claim. But my inspection of Claria configuration files further suggests that the ads ran on the Claria network since at least February 6, 2004 -- some four months ago. Why didn't Dell notice this problem until I brought it to their attention?

If this is just a glitch, what procedures could Dell (and other companies) implement to make sure their ads are placed through only authorized channels? I'd be honored to work with interested advertisers to think through the possibilities for automatic or scheduled monitoring, testing, etc.

A note on my research methods: In May-June 2003, I offered a Gator real-time testing service that reported, on request, which ads (if any) targeted a given web site. I have subsequently disabled this site, so it provides only archived data. But I can still provide current Gator targeting data upon request. Interested readers, please get in touch by email.

Every program installed on users' PCs exposes users to potential security risks -- for any program can contain design flaws that let attackers take control of a user's computer. But experience shows some kinds of programs to be far more risky than others. Frequent readers of my site won't be surprised to learn that software from WhenU, distributed on WhenU's own web site until mere weeks ago, is among the programs with security vulnerabilities that let attackers take over users' PCs. My new WhenU Security Hole Allows Execution of Arbitrary Software explains the specific WhenU software found to be vulnerable, and shows what an attacker would have to do to take advantage of the vulnerability.

In July 2003, I noticed -- and shortly notified WhenU -- that WhenU's software transmits to its servers the URLs that users visit, and that it does so every time it shows a user an ad. What's the big deal? WhenU's privacy policy said it wouldn't do this: "URLs visited ... are not transmitted to whenu.com or any third party server." Many of WhenU's software installers carry an even more explicit, but equally false, statement: "... does not track, collect or send your browsing activity anywhere." What did WhenU do in response to my notification? Nothing, so far as I know.

Fast-forward eight months. I mentioned WhenU's privacy violation in my FTC comments (PDF), and an FTC workshop speaker mentioned it (citing me) in his oral comments, with WhenU's CEO and counsel present in the room. What did WhenU do? Again, nothing, so far as I know.

But this past Friday, I released to the public my new WhenU Violates Own Privacy Policy. I've revised my research of last summer and this spring -- explaining things a bit more clearly, better tracking the duration and scope of the violation, and adding formatting to make the work easier to read. What did WhenU do? This time, finally, WhenU changed its privacy policy, to better describe its actual practice. But WhenU only made the change in some places -- namely only on its web site, but not in the installer screens users look at as they decide whether or not to install WhenU software. So even today, as users install WhenU software, they are told -- falsely -- that WhenU doesn't track, collect, or send their browsing activity. (screen-shots)

This is a troubling situation: For one, there's the ten month lag between the violation first being brought to WhenU's attention, and WhenU doing anything to even begin to address it. Then there are the thirty million users who reportedly run WhenU software. As users installed WhenU's programs, WhenU promised not to send or track which URLs they visited. Instead, WhenU sent this information all along, and even continues sending it this very minute. Can WhenU correct the violation merely by changing its privacy policy web page?

Today I released WhenU Spams Google, Breaks Google 'No Cloaking' Rules, documenting at least thirteen web sites operated with WhenU's knowledge and approval (if not at WhenU's specific request) that use prohibited methods to attempt to manipulate search engine results as to searches for WhenU and its products.

On Monday I was in DC for the FTC's Spyware Workshop. I thought the final panel, Governmental Responses to Spyware, did a fine job of explaining the legislative options on the table, and of noting the pressure to address the problem of spyware for the large and growing number of affected users. But I was dismayed that the first panel (Defining Spyware) classified as fine and unobjectionable certain programs that, in my experience, users rarely want, yet often find installed on their computers. Key among these undesired programs are software from Claria (formerly Gator) and WhenU. The technical experts on the second and third panels agreed that these programs pose major problems and costs for users and tech support staff. Yet the first panel seemed to think them perfectly honorable.

Yesterday WhenU filed suit in Utah, seeking that Utah's Spyware Control Act be declared void and invalid.

2) Methods and Effects of Spyware (PDF) is my written response to the FTC's call for comments (PDF) on spyware. I explain how spyware works, including presenting specific personal information transmitted by both Gator and WhenU. (The WhenU transmissions are particularly notable because these transmissions seem to violate WhenU's own privacy policy.)

Gambling, Betting and Bingo	327 advertisements	49 advertisers
Loans	263 advertisements	35 advertisers
Travel	213 advertisements	21 advertisers