Ben Edelman - Archives

Featured Research

To print coupons from Coupons.com, users must install Coupons.com's coupon-printing software. Unbeknownst to users, Coupons.com's software disguises its key files as part of Windows -- with deceptive names like c:\windows\uccspecc.sys and c:\windows\WindowsShellOld.Manifest. Furthermore, Coupons.com leaves these misnamed files on disk even if a user uninstalls Coupons.com software -- making it particularly hard for users to fully rid themselves of Coupons.com.

Meanwhile, Coupons.com is remarkably lax with the ID number it assigns to each user. Without any meaningful statement in its privacy policy, Coupons.com prints a user ID on each coupon. Furthermore, the design of Coupons.com's coupon-printing software lets any web site (even sites with no relationship to Coupons.com) access and retrieve users' Coupons.com user IDs. Finally, Coupons.com's Veri-fi system lets any interested person check which coupons a given user has printed -- potentially revealing significant information about the users' purchasing interests.

Last November, Zango and the FTC announced a settlement of the FTC's investigation of Zango's practices. Among the key requirements: Zango agreed to install only after "clearly and prominently disclos[ing] the material terms [of its software] prior to the display of, and separate from, any [EULA]." Zango further agreed to label each of its ads with a “clear[] and prominent[]” marking as to the source of the ad, as well as a hyperlink to removal and complaint procedures.

Some of Zango's installations do some of what the settlement requires. But others don't. Today I'm posting Zango Practices Violating Zango's Recent Settlement with the FTC. In a series of screenshots, I show widespread Zango installations with no disclosure outside of a EULA. I also present numerous Zango ads appearing with no labeling at all.

Flush with cash from its recent IPO, ComScore might be expected to exert unmatched care in the distribution of its tracking software. But my tests indicate otherwise. In today's article, I describe multiple recent ComScore RelevantKnowledge installations that occur without user consent. I provide video proof of one such installation.

Spyware programs continue to claim commissions on merchants' organic traffic. When users simply type in a site's address and make a purchase, merchants shouldn't have to pay an affiliate commission. But spyware programs often monitor what web sites users visit, and when they sees users browse a targeted merchant, they often pop open an affiliate link to that merchant. If a user then makes a purchase, the merchant pays the affiliate a commission -- even though the affiliate did nothing whatsoever to facilitate or encourage the sale.

In today's article, I show six examples of spyware programs using these methods to cheat Blockbuster and Netflix. As usual, I offer screenshots, videos, and annotated packet logs to confirm what occurred.

Earlier this year, I wrote a program I call the "Automatic Spyware Advertising Tester" ("AutoTester"). On a set of virtual machines infected with a variety of spyware, the AutoTester browses a set of test scenarios -- viewing web pages, running searches, and even adding items to shopping carts at retailers' sites. The AutoTester keeps a full log of what happens -- a video of what pop-ups appear, and a packet log of what network transmissions occur. If the AutoTester observes any improper traffic (such as an unexpected and unrequested affiliate link), it records that event in a log file, and it tags the video and packet log accordingly.

Some sites use cheap spyware traffic to inflate their traffic statistics. Unfortunately, traffic measurements mistakenly assume users arrive at sites because they actually wanted to go there, without considering the possibility that some visits are involuntary. So a slew of cheap spyware-delivered popups can cause a site to be reported to be more popular than it really is.

Forced visits harm investors (who risk overpaying for a site based on inflated measures of popularity), advertisers (who overpay for ad space), and consumers (whose spyware infections are funded in part from forced visit payments)

That said, it's possible to detect sites using spyware to inflate their traffic counts: Just install some spyware on a test PC, and watch what ads are displayed. My article gives the details.

A Cingular ad injected into Google by Fullcontext spyware - February 17, 2007

In January, the New York Attorney General announced an important step in the fight against spyware: Holding advertisers accountable for their payments to spyware vendors. In Assurances of Discontinuance, Cingular (now part of AT&T), Priceline, and Travelocity each agreed to cease use of spyware -- to require all marketing partners not to use advertising software that installs without disclosures and consent, that fails to label ads, or that fails to offer an easy procedure to uninstall. These requirements apply to ads purchased directly by Cingular, Priceline, and Travelocity, as well as to all marketing partners acting on their behalf.

Unfortunately, both Cingular and Travelocity have failed to sever their ties with spyware vendors. Today I post six examples showing Cingular and Travelocity both continuing to receive spyware-originating traffic, including traffic from some of the web's most notorious and most widespread spyware

Bad Practices Continue at Zango, Notwithstanding Proposed FTC Settlement and Zango's Claims

Earlier this month, the FTC announced the proposed settlement of its investigation into Zango, makers of advertising software widely installed onto users' computers without their consent or without their informed consent (among other bad practices). I commend the proposed settlement's core terms. But I don't think Zango is actually complying with the proposed settlement's requirements. Nor does compliance appear to be likely in the near future.

In today's joint piece with Eric Howes, I present numerous specific examples of violations -- along with appropriate screenshot and video proof showing the prohibited practices.

I recently had the honor of serving as an expert witness in The People of the State of California v. Intermix Media, Inc., litigation brought by the City Attorney of Los Angeles against Intermix. Though Intermix is better known for creating MySpace, Intermix also made spyware that, among other effects, can become installed on users' computers without their consent.

On Monday the parties announced a settlement under which Intermix will pay total monetary relief of $300,000. Intermix will also assure that third parties cease continued distribution of its software, among other injunctive relief. These penalties are in addition to Intermix's 2005 $7.5 million settlement with the New York Attorney General.

In the course of this matter, I had occasion to examine my records of past Intermix installations. I also conducted new research to demonstrate how Intermix installations used to procede -- what notice (if any) was provided, and what consent (if any) was obtained. To my surprise, I also found evidence of ongoing installations -- despite Intermix's promise of having "permanently discontinue[d]" this business a year and a half ago..

Last year I documented Ask toolbars installing without consent as well as installing by targeting kids. Ask staff admitted both practices are unacceptable, and Ask promised to make them stop. Unfortunately, Ask has not succeeded.

In Current Practices of IAC/Ask Toolbars, I report notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask's prior promises. I document yet another installation of Ask's toolbar that occurs without user notice or consent. I point out why Ask's toolbar is inherently objectionable -- especially its rearrangement of users' browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask's practices with its staff's promises and with governing law -- especially "deceptive door opener" FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.

Read Google's voluminous Adwords Content Policy, and you'd think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can't advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising -- like selling products that are actually free, or promising their services are "completely free" when they actually carry substantial recurring charges. For example, the ad at right claims to offer "100% complimentary" and "free" ringtones, when actually the site promotes a services that costs approximately $120 per year.

In False and Deceptive Pay-Per-Click Ads, I show more than 30 different advertisers' ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word "free"), or that make claims that are simply false. I then analyze the legal and ethical principles that might require search engines to remove these ads. Finally, I offer a mechanism for interested users to submit other false or deceptive ads they find.

When a stranger promises "you can trust me," most people know to be extra vigilant. What conclusion should users draw when a web site touts a seal proclaiming its trustworthiness? Some sites that are widely regarded as extremely trustworthy present such seals. But those same seals feature prominently on sites that seek to scam users -- whether through spyware infections, spam, or other unsavory practices.

Today I'm posting Adverse Selection in Online "Trust" Authorities, an empirical look at the best-known certification authority, TRUSTe. I cross-reference TRUSTe's ratings with the findings of SiteAdvisor -- where robots check web site downloads for spyware, and submit single-use addresses into email forms to check for spam, among other automated and manual tests. Of course SiteAdvisor data isn't perfect either, but if SiteAdvisor says a site is bad news, while TRUSTe gives it a seal, most users are likely to side with SiteAdvisor.

My key finding: Sites certified by TRUSTe are more than twice as likely to be untrustworthy as a random sampling of popular sites. The relative hazards of TRUSTe-certified sites hold even when analysis controls for site attributes and for site complexity.

Today I'm posting Cookies Detected by Anti-Spyware Programs: The Current Status, reporting the results of hands-on testing of various anti-spyware programs, as to 50 different advertising cookies. I've found some striking results -- cookies from plenty of major advertising networks flagged as harmful "spy cookies" by leading anti-spyware programs. But other networks, including Google, are not detected at all.

What to make of this mess? Why are some cookies detected and others ignored? And why detect cookies in the first place? My article suggests some answers. I also report the raw data -- which specific programs detect which specific cookies. I even provide a calculator by which advertisers' partners and affiliates can estimate their revenue losses from cookie deletion.

For years, I and others have observed Vonage ads shown by spyware. In its litigation against Intermix, the New York Attorney General specifically documented Vonage's ads appearing in Intermix KeenValue pop-ups. BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 -- a remarkable $110 for each customer referral. In 2005 the Associated Press even managed to discuss Vonage's spyware advertising with Vonage CEO Jeffrey Citron. Citron claimed Vonage does "do[es] everything we can" to keep its ads out of spyware -- but in my testing, Vonage's supposed best efforts aren't nearly good enough.

A Vonage ad injected into the Google site, without Google's permission.

Today I post a dozen recent examples of Vonage ads appearing in spyware. I present the "usual" spyware-delivered pop-ups -- distributed by vendors like Direct Revenue and Targetsaver. But I also show some Vonage placements that are even more outrageous. I show spyware vendors injecting Vonage ads into others' web sites without permission from those sites, as in the Google thumbnail at right. Google doesn't sell ads like that shown in the thumbnail -- not to anyone, for any price. But through spyware, Vonage ads appear there nonetheless. At least as pernicious, other spyware actually replaces web sites' ads with ads for Vonage -- reducing those sites' revenues for Vonage's benefit.

A sexually-explicit ad served unrequestedby ZenoTecnico spyware.

Most spyware pop-ups show users material they don't want. If I request the British Airways site, I probably want to book with them, not with some other booking service. After all, if I had wanted to comparison shop, I would have gone to a comparison shopping site. So a spyware-delivered Travelocity pop-up is likely to be an unwelcome intrusion on my screen.

But spyware intrusions can be worse than annoyances. Consider the problem of unrequested sexually-explicit pop-ups. Shown to adults, they're unwanted at best. Shown to kids, they can be affirmatively harmful.

In today's piece, I present several examples of spyware-delivered ads that show sexually-explicit materials, without a user previously requesting any such materials. As usual, I have screenshot and packet log proof, along with video where helpful -- all modified to obscure sexually-explicit areas.

For the last 8 months, I've been following ads from Global-Store, Inqwire, Venus123, and various others -- all sites operated by Hula Direct. They're engaged in a troubling scheme: They buy popups and popunders from various notorious spyware vendors. They show numerous banner ads in "banner farms" without substantial bona fide content. They show advertisers' ads (and charge advertisers for those ad displays) without the advertisers' specific permission. They even reload advertisers' ads to rack up extra fees.

In January I bemoaned the sorry state of search engine results for "screensavers." I pointed out that most "screensavers" ads lead to sites I can't recommend, and I criticized search engines for their failure to enforce higher standards. But this problem goes well beyond that single keyword and that single genre of sites.

Today SiteAdvisor's Hannah Rosenbaum and I released The Safety of Internet Search Engines. We obtain top search engine keywords from authoritative sources like Google Zeitgeist. We extract top organic and sponsored search engine results for those keywords. Then we evaluate site safety, using SiteAdvisor's assessments of spyware, spam, scams, and other Internet menaces.

A representative Google ad -- asking users to pay for software widely available elsewhere for free.

Our most notable result? Search engine ads are a risky business. Overall, across all keywords and search engines, 8.5% of sponsored results were "red" or "yellow" by SiteAdvisor's standards, versus only 3.1% of organic results. It's not unusual to see ads for notorious spyware vendors like Direct Revenue (as documented in my January piece); for sites that charge for software available elsewhere for free (like the ad shown at right, trying to charge $29 for Skype's free phone); and for spammers that send hundreds of mesages per week, if a user enters a single email address. These scams deceive and harm search engine users, and I'd like to see Google update its advertising editorial guidelines to prohibit such practices -- then enforce these rules with appropriate diligence.

Our article includes an abundance of data. I particularly enjoy this chart of Google site safety by individual keyword -- showing "free screensavers" as our single most dangerous search, with other notorious searches including "bearshare," "free music downloads," "winzip," and "kazaa." See also our charts of specific red and yellow sites found within search results.

This week's New York Attorney General suit against Direct Revenue included detailed documents, records, and emails that present Direct Revenue's strategy, intentions, and plans in great detail. I have obtained these documents, organized them, and posted raw files as well as brief summaries.

In August 2005, I posted half a dozen examples of what I call "syndication fraud" -- Yahoo placing advertisers' ads into spyware programs, and charging advertisers for resulting clicks. But Yahoo's spyware problems extend beyond mere syndication fraud. Today I post fresh examples where spyware completely fakes a click -- causing Yahoo to charge an advertiser a "pay-per-click" fee, even though no user actually clicked on any pay-per-click link. This is "click fraud."

Many others have alleged click fraud at Yahoo. (1, 2, 3) But others generally infer click fraud based on otherwise-inexplicable entries in their web server log files -- traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user). In contrast, my proof of click fraud is direct: I capture these click fraud examples in videos, screenshots, and packet logs that show exactly what happened, and that prove exactly who's responsible.

Despite widespread criticism of Direct Revenue's practices and of adware generally, some well-known companies continue to buy ads from Direct Revenue. I show example Direct Revenue ads from Citi, Netflix, T-Mobile, Travelocity, United, and Vonage, among others.

These days, few advertisers defend "adware" advertising. But the Interactive Travel Services Association is the rare exception. In policies that have been endorsed by 180solutions but criticized by consumers, ITSA endorses adware under strikingly vague and weak conditions.

After so much criticism of installation and operation practices of 180solutions, it's arguably surprising that big companies still advertise with 180. But they do. In a report (PDF) posted today, CDT describes the details. I've posted screenshots showing the specific ads CDT describes, as well as my own discussion analysis of these advertising practices.

In a series of 2005 press releases, 180solutions claimed its new "S3" installer technology would prevent nonconsensual installations of its advertising software. I always doubted this claim: 180's system seemed trivial to bypass.

In the video accompanying this article, I disprove 180's claim by showing a 180solutions distributor that bypasses 180's S3 notice screen. 180's notice screen does appear on screen -- but for less than half a second, at which point the distributor fakes a user's supposed assent to install 180. So users still receive 180's software without agreeing to run it.

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

As it turns out, search engine advertising is an important and substantial source of spyware infections. Users search for certain keywords -- "screensavers," for example -- in the misguided hope that search engines' quality standards will keep them safe. Instead, leading search engines sell advertising to the most notorious of spyware and "adware" vendors -- including firms like Direct Revenue and Claria.

Many affiliates violate applicable network and merchant rules. Some violations ultimately become well-known -- like ShopAtHomeSelect installing without consent and claiming commissions automatically, yielding Commission Junction's sensible ejection of SAHS from their network. (Though, oddly, it seems that LinkShare never took action against SAHS.) Other violations attract far less attention.

MyPoints buying traffic from Direct Revenue's "Best Offers Network."

Today I post examples of two well-known affiliates, CoolSavings and MyPoints, buying traffic from Direct Revenue. These affiliates are exceptionally prominent -- with big budgets, favorable press coverage, and even rosy case studies at major affiliate networks. But CoolSavings and MyPoints nonetheless use "adware" to grab merchants' traffic -- a prohibited practice I've previously observed from smaller affiliates, but never from affiliates of this size. It's surprising and, frankly, disappointing to see this behavior from affiliate leaders otherwise held in such high esteem.

I've previously covered a variety of misleading and/or nonconsensual installations by 180solutions. I've recorded numerous installations through exploits (1, 2, 3, 4, 5) -- without any user consent at all. I've found installations in poorly-disclosed bundles -- for example, disclosing 180's inclusion, but only if users happen to scroll to page 16 of a 54-page license. I've even documented deceptive installations at kids sites, where 180 installs without showing or mentioning a license agreement.

The Doll Idol site, which encourages users to install 180 software without a frank disclosure of 180's true effects.

180 has cleaned up some of these practices, but the core deception remains. 180 still installs its software in circumstances where reasonable users wouldn't expect to receive such software -- including web sites that substantially cater to kids. And users still aren't fairly told what they're slated to receive. 180 says that it shows "advertising," but no on-screen text warns users that these ads appear in much-hated pop-ups. 180 systematically downplays the privacy consequences of installing its software -- prominently telling users what the software won't do, but failing to disclose what the software does track and transmit. All told, users may have to press a button before 180 installs on their computer, but users can't reasonably be claimed to understand what they're purportedly accepting.

Much of the spyware problem results from users visiting sites that turn out to be untrustworthy or simply malevolent. I'm certainly not inclined to blame the victimized users -- it's hardly their fault that sites run security exploits, offer undisclosed advertising software, or show tricky EULAs that are dozens of pages long. But the resulting software ultimately ends up on users' computers because users browsed to sites that didn't pan out.

The SiteAdvisor plug-in, evaluating zango.com. Click for full-size screenshot, methodology, more examples, and comparisons with others' efforts.

How to fix this problem? In theory, it seems easy enough. First, someone needs to examine popular web sites, to figure out which are untrustworthy. Then users' computers need to automatically notify them -- warn them! -- before users reach untrustworthy sites. These aren't new ideas. Indeed, half a dozen vendors have tried such strategies in the past. But for various reasons, their efforts never solved the problem. (Details).

This month, a new company is announcing a system to protect users from untrustworthy web sites: SiteAdvisor. They've designed a set of robots -- automated web crawlers, virtual machines, and databases -- that have browsed hundreds of thousands of web sites. They've tracked which sites install spyware -- what files installed, what registry changes, what network traffic. And they've built a browser plug-in that provides automated notification of worrisome sites -- handy red balloons when users stray into risky areas, along with annotations on search result pages at leading search engines.

Late last month, Windows expert Mark Russinovich revealed Sony installing a rootkit to hide its "XCP" DRM (digital rights management) software as installed on users' PCs. The DRM software isn't something a typical user would want; the "rights" it manages are Sony's rights, i.e. by preventing users from making copies of Sony music. Notably, Sony didn't disclose its practices in its installer or even in its license agreement. At least as bad, Sony initially provided no uninstall for the rootkit, and when Sony added an uninstaller, the process was needlessly complicated, prone to crashing, and a security risk.

Having bungled this situation, Sony has recalled affected CDs and announced an exchange program to swap customers' affected CDs for XCP-free replacements. For savvy consumers who have followed this story, the exchange looks straightforward. But what about ordinary users, who don't read the technology press and aren't likely to learn their rights?

As it turns out, there's a clear solution: A self-updating messaging system already built into Sony's XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony's server. As Russinovich explained, usually Sony's server sends back a null response. But with small adjustments on Sony's end -- just changing the output of a single script on a Sony web server -- the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.

Now that Claria no longer comes bundled with powerhouse distributors Kazaa and Grokster, and now that Claria has even terminated its fake-user-interface banner ads, one might reasonably wonder: How does Claria get onto users' PCs? Last month I showed an example of Claria soliciting installations via banner ads served through other vendors' spyware (which in turn had become installed without consent). But even Claria's ordinary installations still fail to tell users what they reasonably need to know in order to make an informed choice.

In particular, Claria has removed disclosures that used to be reasonably prominent within its prior installations. Claria used to admit, within an ActiveX popup, that it shows "pop-ups." These days, that disclosure has been removed, replaced with the vague "GAIN-branded ads." So users can receive Claria software without first being told that Claria will give them extra pop-ups.

Seeking to clean up its image, Claria has tried to distance itself from competing "adware" vendors -- hiring a privacy officer, filing comments with the FTC, even setting up an anti-spyware site. It's no surprise that Claria wants little to do with other vendors in this space: Other vendors' entirely nonconsensual installations (1, 2, 3) are a magnet for criticism. These vendors even undercut Claria's pricing -- showing ads for as little as $0.015 per display, where Claria demands a minimum payment of $25,000 per ad campaign.

But despite Claria's dislike of "spyware" vendors who install advertising software without any notion of user consent, Claria funds and supports such vendors in at least two distinct ways. First, Claria pays spyware vendors to show Claria's own ads through their popups -- thereby recruiting more users to install Claria's advertising software. Second, Claria buys traffic from spyware vendors and uses this traffic to show ads for Claria's advertiser clients -- including merchants as reputable as Amazon.

So even as Claria reforms its own practices -- improving its installation methods and scaling back its controversial popups -- Claria is buying ads from others whose practices are far inferior.

The Pacimedia exploit's first screen. Notice no disclosure of specific programs to be installed.

New.net offers "navigation" software that, as best I can tell, few users actually want. So how does New.net maintain an installed base of users? I post a video showing New.net installed via security hole exploits, and I review a few of their other dubious installations.

Of course New.net isn't all that gets installed through this security hole exploit. In testing, the exploit asked me if I wanted to install 180solutions; I declined, but I nonetheless received 180 a mere twelve minutes later.

Affiliate networks offer an appealing promise for supporting free, independent content on the web: Any ordinary user can sign up to promote any interested merchant via a special affiliate tracking link. When a user clicks the link and makes a purchase from the merchant, the referring web site ("affiliate") gets a payment from the merchant. Since merchants only pay affiliates when users actually make purchases, merchants feel free to partner with smaller affiliate sites -- sites that might otherwise be too small or quirky to get advertisers' attention.

Affiliate Merchants
(i.e. Dell, Gateway, eLuxury, J&R)
money

viewers
Affiliate Networks
(i.e. LinkShare, Commission Junction)
money

viewers
Affiliates
money

viewers
Spyware Vendors
(i.e. 180solutions, Direct Revenue)

Despite the promise of affiliate marketing, these casual marketing arrangements entail serious risks. If merchants sign up affiliates without investigation or monitoring, merchants risk accepting partners with undesirable business practices. Consider an affiliate who sends spam, or whose site is so controversial that no reasonable merchant would want to be seen there. So, experienced merchants have learned, they must monitor their affiliates for these kinds of dubious behaviors.

Even more serious for most merchants, some affiliates promote merchants via unwanted advertising software -- "spyware." Some affiliates cause merchants' ads to cover competitors' sites -- a merchant's ad might appear through spyware without the merchant knowing about, intending, or requesting this result. Worse, affiliates can use spyware to steal commissions they haven't earned -- making tracking systems think users arrived at a merchant's site via an affiliate link, when users actually just typed in a merchant's domain name.

This piece proceeds in three parts. First, I show five specific examples of particular affiliates currently employing spyware to claim affiliate commissions, in apparent violation of applicable rules. (1, 2, 3, 4, 5) Second, I offer recommendations to concerned merchants. I conclude with recommendations for networks -- suggesting technology and policy to stop this problem in the long run.

Few advertisers have the gall to defend advertising through spyware. But Expedia is an exception.

Expedia subsequently claimed to have "rigorous standards" for advertising software, including "mak[ing] sure customers want [the] ads."

Despite Expedia's claims of user consent, Expedia advertises with numerous programs that don't always obtain user consent. For example, in my testing, Expedia advertises with 180solutions, Direct Revenue, and eXact Advertising -- each of which has been shown to be installed through security holes, repeatedly and recently, among other troubling behaviors.

Yahoo's Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo's network of advertisers. When users run searches at yahoo.com, Yahoo's advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn't just show advertisers' ads on yahoo.com; Yahoo also distributes advertisers' ads to Yahoo's various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers' ads to be shown by advertising software installed on users' PCs -- software typically known as spyware or adware. In my testing, Yahoo's support of spyware is widespread and prevalent -- an important source of funding for many spyware programs, bankrolling infections of millions of users' PCs. Were it not for Yahoo's funding of these programs, the programs would be far less profitable -- and there would be fewer such programs trying to sneak onto users' PCs.

Reading ShopAtHomeSelect's marketing materials, their advertising software might seem to present compelling benefits. SAHS promises users rebates on products they're already purchasing. And SAHS even offers reminder software to make sure forgetful users don't miss out on the savings. What could be better than timely reminders of free money?

But the SAHS site doesn't tell the whole story. My testing demonstrates that SAHS software is often installed without users wanting it, requesting it, or even accepting it -- through security exploits, nondisclosed bundles, ActiveX popups, IM tricks, and even bundles with porn videos. (Details.) When users receive an unwanted SAHS installation, SAHS still claims commissions on users' purchases -- but typical users will never see a penny of the proceeds. (Details.) Meanwhile, whether requested by users or not, SAHS's commission-claiming practices seem to violate stated rules of affiliate networks. (Details.)

Despite these serious problems, SAHS boasts a superstar list of clients -- the biggest merchants at all the major affiliate networks, including Dell, Buy.com, Expedia, Gap, and Apple. Why? Affiliate networks have little incentive to investigate SAHS's practices or assure compliance with stated rules. (Details.) SAHS and affiliate networks profit, but users and merchants are left as victims. (Details.)

Today's New York Times reports Microsoft "in talks" to buy Claria. Leading commentators think it's a bad idea (1, 2, 3, 4, 5, 6, 7, 8, 9, 10). I agree. In today's piece, I explain why this isn't just a bad value for Microsoft, but also a dubious ethical choice, and an approach with serious risks for users who look to Microsoft for protection from spyware.

Meanwhile, Microsoft's Anti-Spyware offering now recommends that users "ignore" Claria's presence on their PCs. See image at left.

180solutions today announced its plan to show its users "notification" popups describing some of 180's practices -- thereby, in 180's view, obtaining users' "informed consent." In principle, a re-opt-in might let 180 obtain users' consent even where initial installations had somehow failed to do so. But 180's notification message is so flawed and so duplicitous that it can't offer the legitimacy 180 purportedly seeks.

180's notification screen makes numerous false statements. For example, it claims that user consent is "required" before 180 can be installed -- despite evidence (1, 2, 3) and admissions (1, 2, 3, 4) to the contrary. And the screen claims that all 180 ads are labeled, again despite 180's own admission that they're not. Details.

Furthermore, 180's notification is presented in a way that fails to obtain any notion of "consent." The notification doesn't ask for consent, and it doesn't seek or require a manifestation of consent (e.g. pressing a button). Users wanting to remove 180 must take steps far longer than those to install 180. Details.

Meanwhile, even 180's new stub installers don't obtain meaningful informed consent. 180's stub installer covers and obscures much of 180's license, and 180's stub installer (like its notification screen) fails to reasonably explain what 180 is or what it does. Details.

More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

Google's "Software Principles" set out reasonably high standards for notice and consent to install advertising software. And Google's "Principles" strongly discourage doing business (even indirectly) with companies that violate these rules. But apparently Google wants others to do as they say, not as they do. In practice, Google has large relationships with companies widely violating these rules.

In More on Google's Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars, I offer two separate examples of Google partners who break Google's Software Principles rules. First, Ask Jeeves. AJ's toolbars are sometimes installed without any consent at all. But even when users supposedly consent, installation procedures are often seriously deficient. For example, users who download iMesh get an AJ toolbar too -- though the only way to find out is by scrolling to page 27 of iMesh's license. These practices notwithstanding, Google's payments to AJ apparently total hundreds of millions of dollars per year.

PPC advertisers
money

viewers
Google AdWords
money

viewers
Go2Net
money

viewers
IBIS WebSearch

Second, the IBIS WebSearch toolbar installs in a variety of ways that don't meet Google's standards -- including security exploits, poorly-disclosed bundles, and ActiveX popups. But IBIS also shows many Google ads, obtained from Google through InfoSpace's Go2Net.

I see at least two distinct problems here. First, Google's payments are helping to fund purveyors of unwanted software -- making the spyware problem that much larger. Second, even advertisers who hate spyware are inadvertently advertising through these channels -- intending to rely on Google's promise of "high-quality" partner sites, although this promise may be overly optimistic.

Perhaps Google will make excuses for its so-called "partners." But the company's "don't be evil" slogan and its Software Principles document suggest another possibility: That Google entirely disassociate itself from those who use tricky practices to get their advertising software onto users' PCs. Stay tuned.

When unwanted programs ("spyware" and others) sneak onto users' computers, their main goal is often to show extra ads. If a vendor's program steals users' credit card numbers or social security numbers, the vendor will get in real trouble. But, historically, software vendors have been able to show extra ads with impunity.

PPC advertisers
money

viewers
Google (AdWords)
money

viewers
AdSense sites
money

viewers
180solutions

Where do these ads come from? What companies are willing to support the advertising software that users so despise? It turns out some of the world's biggest companies are advertising in this way -- either intentionally or because they can't control their ad buying processes. In 2003, I posted a list of some of Gator's then-biggest advertisers, work that PC Pitstop updated in 2003 (using Claria's S1 filing). More recently, I've posted a list of substantially all eXact advertising advertisers. More to come.

These advertisers aren't working in a vacuum. Quite the contrary: Many of their ads appear through spyware only thanks to major ad intermediaries that facilitate, intermediate, and track those placements, and that assist in the associated payments.

My new Intermediaries' Role in the Spyware Mess presents the ad intermediaries who are involved. Big ad networks and tracking services like Atlas DMT and DoubleClick help with thousands of 180solutions' ads. But the biggest surprise is Google: Of 180's current 88,000+ ads, some 4,678 (>5%) show embedded Google ads.

Last week Sunbelt announced that Hotbar sent Sunbelt a Cease and Desist letter, apparently demanding that Sunbelt stop detecting Hotbar software and offering users an option to remove it. I immediately updated my Threats page. But then I started wondering: How does Hotbar get onto users' PCs? And what does Hotbar do once installed?

My new Hotbar Toolbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Installation practices occupied center stage at last week's CNET Download.com's anti-spyware conference. Many of the companies whose installation practices I've criticized attempted to defend those practices or deflect attention from them. But their explanations and excuses don't stand up to critical examination.

My new article today proceeds in four parts. First I look at more Claria installations targeting kids -- their focus on children even more transparent than the examples I posted previously. Next I critique the recent denial of IAC CEO Barry Diller of any liability by Ask Jeeves; I argue that nonconsensual installations could be wrongful in and of themselves, even when not associated with "adware." Then I compare 180's actual practices with its statements to the press and with the claims on its web sites. Finally, diverging a bit from the theme of installation practices, I discuss Direct Revenue's commission-skimming -- and note that DR apparently just got caught by the largest affiliate network.

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like "accessible directly from your browser" rather than explicitly admitting that it will install a web browser toolbar.

But that's not the worst of AJ's practices. Over the past six months, I've captured a series of videos showing Ask Jeeves' MyWay and MySearch software installed through security holes -- without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar -- without me ever requesting anything, and without me ever clicking "Yes" or "Accept" in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. Video also shows installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network -- Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I'm surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.

It's Monday morning, so time for more misleading installations. Just like last week, I couldn't stop at only a single example; again I'm providing two.

PacerD's misleading pop-ups ask users to "please click yes" to accept "free browser enhancements." In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD's mislabeled (apparent, purported) license agreement, which in turn is only shown at a user's specific request. But click "Yes" once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

As usual, Claria's approach is somewhat more subtle. When Claria bundles its advertising software with the "Dope Wars" video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few "Dope Wars" players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they'll do so without first understanding what Claria will do to their PCs.

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria's interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users' computers into advertising channels -- tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

"Adware" companies say their businesses are predicated on user consent. (Claria: "... consumers who agree ... "; 180: "permission-based ... opt-in"). Notwithstanding, companies' claims, there's no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don't understand what they're getting -- due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they "accepted" these programs.

Ezone.com, a site targeting children, that nonetheless promotes 180solutions.

Can we say that a user "consents" to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If "authorizing" the installation required only that the user click on an ad, then click "Yes" once? If the program's license agreement was shown to the user only after the user pressed "Yes"? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently and repeatedly described as removing advertisements? Where the installation description uses euphemisms like "show ... sponsor websites" but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I'm not inclined to say that consumers "consent" to the resulting ads and to the resulting transmission of personal information.

So-called "adware" companies say nonconsensual installations of their programs are just an "urban legend." (See section 7 of 180's claims in a recent interview.) But when I talk to users whose computers have become infected, I'm consistently told that they don't know how they got the unwanted programs, and they say they certainly didn't consent. How can we understand this divergence? How are users PCs receiving this unwanted software?

My new Spyware Installation Methods sets out a taxonomy of the ways unwanted programs sneak onto users' computers. Some installations rely on tricking users -- for example, showing confusing popups, or claiming or suggesting that an installation is required to view a web site. Others install unwanted software in bundles with programs users actually want -- sometimes telling users what they're getting in fine print midway through long licenses, but sometimes not even including these minimal disclosures. Finally, some spyware sneaks in through security hole exploits -- without any user consent at all, thanks to defects in users' web browsers or other software. (See the security hole video and write-up I posted last fall.)

There's lots to be done in documenting how unwanted software gets onto users' PCs. My Installation Methods page indexes my work to date, to the extent it's posted online. But I have much more documentation still to be posted -- for example, scores more videos showing security exploits. I'll be making additions in the coming months, as I find better ways to present this work clearly and efficiently, and as I find clients or other revenue sources to help support this work. (I'm still looking! Send suggestions.)

Diagram of the steps users must follow in order to attempt to learn what software 3D and BlazeFind will install on their PCs. Even diligent users ultimately have no way to know in advance what 3D will install on their PCs.

Today I'm also starting what I intend to be a series of weekly updates to my site -- tentatively entitled "misleading installation of the week." Sometimes I'll show massive security hole exploits that render users' computers nearly useless, but sometimes I'll post more "ordinary" infections that "merely" show extra ads or send users' browsing habits to a remote server. At every turn I'll emphasize the trickery common to most installation methods -- the ways that substance (e.g. material omissions, euphemisms, confusing circumstances) and style (e.g. on-screen presentation format, window size and shape, link format) cause users to "accept" software that offers them little or no genuine benefit.

I'm starting this series with 3D Desktop's Misleading Installation Methods. 3D's Flying Icons Screensaver bundles BlazeFind, which in turn bundles 180solutions and half a dozen other programs. To learn what's included, users must puzzle through a dizzying array of licenses -- scroll through one license to find a link to another; scroll through that agreement to find the URLs to others; perfectly retype those URLs; then read each of the resulting licenses. But even if users follow this lengthy procedure, 3D and BlazeFind will ultimately install programs beyond the programs the licenses specifically name. So even diligent users have no way to know in advance what 3D will do to their PCs. Plus, BlazeFind is overzealous in its claims of privacy protection: BlazeFind says the programs it installs don't track users' behavior, but my hands-on testing proves otherwise.

Interestingly, BlazeFind's license states that BlazeFind is a product of CDT, a software distribution company recently purchased by 180solutions. 180 says the CDT acquisition is part of its effort to "clean up" its distribution methods. With practices like these, they certainly have plenty of work ahead. See also a recent Spyware Warrior analysis of other 180 claims and practices in need of correction or improvement.

The past three months have brought a dramatic spike in threats, demand letters, and "requests" -- sent from companies who make unwanted software (some might call the programs spyware) to those who detect, remove, block, or write about these programs.

Threatening or suing critics isn't a new idea. Claria made headlines in September 2003 when it filed suit against PC Pitstop, alleging unfair business practices, trade libel, defamation, and interference with contract arising out of PC Pitstop's description of Claria's software. But with more and more threats with each passing week, it's becoming hard even to keep track of the accusations. I've therefore put together a new table listing complainants, targets, and summarized demands.

I've repeatedly seen software from eXact Advertising installed through security holes, in poorly-disclosed bundles, or otherwise without meaningful (or any) notice and consent. What kind of advertisers would support a company that gets on users' PCs in these ways? I was surprised to find scores of well-known firms promoted by eXact -- including Apple, Chase, Circuit City, Dell, Expedia, Netflix, and Vonage. Cross-referencing eXact's partner list with TRUSTe's member list, I found 85 matches.

My full article gives screenshots of eXact's ads, along with information about the triggers that cause eXact to display certain ads. I also discuss how eXact manages to promote some merchants and to receive payments from such merchants without those merchants having specific knowledge of what is occurring, nor giving their explicit consent.

Request a peer-to-peer filesharing program, and you may be surprised what else gets installed too. I've tested five major P2P programs and analyzed their bundled software. Licenses stretch to as long as 22,000+ words and 180+ on-screen pages. Some P2P apps add additional programs disclosed only in license agreement scroll boxes. And it's not uncommon for a P2P app to create thousands of registry entries. But at least one major P2P program bundles no extra software at all.

My full article analyzes what programs come with what extra software. I have also posted screen-shots of each screen of the lengthy license agreements, and I've noted scores of license anomalies such as broken links, missing section-heading formatting and line breaks, important omissions, and surprisingly one-sided substantive provisions.

Notwithstanding Google's lofty claims about principles for software notice and consent, certain pages at Google's Blogspot service show misleading popups that try to trick users into installing unwanted programs. If a user gets tricked into pressing "Yes" once, the user often receives extra web browser toolbars and extra popups, along with programs that transmit information about what web sites the user visits. These problems have continued for months, but Google has yet to take the simple action of blocking the JavaScript that lets these popups appear.

These aren't nice practices, so I suppose it comes as no surprise that someone -- perhaps some group or company that doesn't like what I'm writing -- has sought to knock my site offline. For much of Monday and Tuesday, as well as several hours last week, all of benedelman.org was unreachable. My prior web host, Globat, tells me I was the target of the biggest DDoS attack they've ever suffered -- some 600MB+/second.

DDoS attacks continue, but I'm fortunate to be back online -- entirely thanks to incredible assistance from Paul Vixie of the Internet Systems Consortium. You may know Paul as the author of Bind or as co-founded of MAPS. (Or just see his Wikipedia entry.) But he's also just an all-around nice guy and, apparently, a glutton for punishment. Huge DDoS attack? Paul is an expert at tracking online attackers, and he's not scared. A special thanks to his Operations, Analysis, and Research Center (OARC) for hosting me. In any case, I apologize for my site's inaccessibility yesterday. I think and hope I've now taken steps sufficient to keep the site operational.

Meanwhile, there's lots of spyware news to share. I now know of fourteen different states contemplating anti-spyware legislation -- a near-overwhelming list that is partiucularly worrisome since so many bills are silent on the bad practices used by the companies harming the most computer users. (Indeed, seven of the bills are near-perfect copies of the California bill I and others have criticized as exceptionally ineffective.) At the same time, federal anti-spyware legislation continues moving forward -- but in a weak form that I fear does more harm than good.

Then there's COAST's dissolution -- to my eye, the predictable result of attempting to certify providers of unwanted software when their practices remain deceptive. It's reassuring to see Webroot standing up for consumers' control of their PCs, though surprising to see Computer Associates defend COAST's certification procedure as "valuable." Now that Webroot and CA have withdrawn from COAST, COAST seems bound to disappear -- probably better for users than a COAST that continues certifying programs that sneak onto users' PCs.

The final surprise of last week's news: Technology Crossover Ventures joined in a $108 million round of VC funding for Webroot. Wanting to own a piece of Webroot is perfectly understandable. But Private Equity Week recently reported TCV as among investors in Claria, a provider of advertising software that Webroot removes. (See also other investors supporting spyware.) How can TCV fund both Claria (making unwanted software) and Webroot (helping users remove such software)? TCV seems aware of the issue: They've recently removed Claria from their Companies page. But other sources -- periodicials, Archive.org, and the Google cache -- all confirm that the investment occurred. (I made screen-shots for good measure.)

For three years, users have faced an onslaught of "drive-by downloads." These popups appear while users browse unrelated web sites, and they install unwanted programs if users merely click "yes" once, without even being shown a license agreement. Microsoft has blocked most drive-by popups with its new Windows XP Service Pack 2, but users with older operating systems still face these deceptive installation attempts.

Who can help fix this problem? VeriSign. Before an ActiveX popup can install software onto a user's computer, the installer must be validated by its digital signature. If VeriSign revoked the digital certificates used by clear wrongdoers -- those with invalid purported company names, or with outrageously deceptive installation practices -- users wouldn't face the misleading popups.

Will the new year bring effective, tough federal anti-spyware legislation? Congress's attempt to block spam, the CAN-Spam Act, was by most reports unsuccessful. But I think Congress could do better with spyware. Spammers tend to be small, fly-by-night operations -- hard for lawyers and courts to find and stop. In contrast, many spyware companies have fancy headquarters and major investors. (See my recently-released list.)

So tough anti-spyware legislation could find and stop the biggest spyware offenders. Unfortunately, from what I've seen so far, any new anti-spyware law will be surprisingly lax. The major effort so far is Rep. Mary Bono's recently-reintroduced SPY Act (H.R.29). Her intentions are surely good, and Reuters has called her bill "tough." But as I read the bill, it's riddled with loopholes and almost certain to be ineffective.

The anti-spyware community has been abuzz all weekend with the news of spyware company 180solutions joining the Consortium of Anti-Spyware Technology (COAST). What's the big deal? My 180 Talks a Big Talk, but Doesn't Deliver identifies three major problems:

Recent news reports, press releases, and other documents have chronicled investments in companies making spyware. I've gathered and organized these documents into a single table, to be updated as new information becomes available. See my new Investors Supporting Spyware.

Among the highlights of my winter holiday reading was a MediaPost interview of Reed Freeman, chief privacy officer of Claria. Freeman makes a series of claims about Claria's practices -- setting out high standards that he claims Claria already meets. As it turns out, his claims are in multiple instances verifiably false.

For example, Freeman claims Claria has "the intuitive and standard Windows uninstall process." I disagree. Install Claria software in a bundle with Kazaa, and there will be no "Claria," "Gator," or "GAIN" listing in Control Panel's Add/Remove Programs. Same for the other programs that bundle Gator (like DivX and Grokster). Instead, users who want to remove Gator are required to figure out that they need to select the "Kazaa" entry in Add/Remove Programs. That's neither intuitive nor standard.

My full article offers multiple additional examples of false claims in Freeman's interview. I document his errors with screenshots and quotes, and I compare Claria's actual behavior with the better practices of selected competitors.

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there's yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters certain special media files, it opens web pages specified by the files' creator. I recently tested one such file, which opens a deceptive popup that attempts to install software on a user's PC. If a user is tricked into pressing Yes once -- in response to the program's false claim that a user "must" accept it -- the program fills the user's computer with unwanted programs. In my testing, some 31 programs, 786 files, and 11,915 registry entries were added in a matter of minutes.

I've long been a fan of online shopping site Ebates. Sign up for their service, visit their web site, click through their special links to merchants (including merchants as distinguished as Dell, Expedia, IBM, and L.L. Bean), and earn a small cash back, generally a few percent of your purchase.

But another side of Ebates' business has become controversial: Ebates uses a software download called "Moe Money Maker" (MMM) to automatically claim merchants' affiliate commissions, then pay users cash back -- even if users don't visit Ebates' web site, and even if users don't click through Ebates' special links. Why the controversy? I see at least two worries: 1) Aggressive installations -- including installation through security holes without any user notice or consent, as shown in a video I made last month. 2) Breaking affiliate networks' rules to claim commissions that would otherwise go to other affiliates.

For companies making programs that show users extra pop-up ads, one persistent problem is that users are bound to take action once their computers get too clogged with unwanted software. Find a removal tool, hire a technician, reinstall Windows, buy a new computer, or just stop using the Internet -- whatever users do, the pop-up companies won't make any more money if users don't keep surfing, and don't keep clicking the ads. The problem is all the worse because so many unwanted programs install others. So if a user has one program showing extra pop-ups, the user might soon have five more.

What's an "adware" company to do? Direct Revenue has one idea: Delete its competitors' programs from users' hard disks. With the other programs gone, users' computers will run more or less as usual -- showing some extra ads from Direct Revenue, but perhaps not attracting so much attention that users take steps to remove all unwanted software.

I've observed the removals Direct Revenue's EULA seems to anticipate -- and I've even made videos and packet-logs of my findings. I'm not the only one to notice what's happening: I've just received a copy of a lawsuit filed by Avenue Media, complaining that Direct Revenue is "systematically deleting Avenue Media's Internet Optimizer without users' knowledge or consent."

Gator has previously received extensive criticism for confusing installations, for difficult uninstalls, for transmission of personal information, and for covering web sites with their competitors' advertisements. More recently, Gator has taken steps to portray itself in a more positive light: Gator changed its name to Claria, hired a former FTC staff attorney as chief privacy officer, and even supported anti-spyware legislation. (But see my criticism of the law as ineffective.)

Has Gator turned over a new leaf? For insight, I turned to Gator's license agreements, to see how Gator currently presents itself to ordinary users.

Buried within Gator's 5,936 word, 63-page license are some surprises. While purporting to defer to "user choice," Gator prohibits removal of its software using third-party tools like Ad-Aware and Spybot. Gator also bars users from examining what data Gator transmits over users' Internet connections.

The 'printable version' link, present in old Kazaa installers but no longer available.

What's missing from Gator's license is almost as notable as what's there: For one, Kazaa's current Gator installer no longer offers one-click access to searchable, printable license text. For another, the installer lacks the bold type and line breaks that previously identified section headings within Gator's license. In addition, although Gator calls itself an adware company, the word "adware" appears nowhere in the license. Even the phrase "pop-up ad," seemingly describing the core of Gator's business, is used in the license only once, there referring to pop-up surveys, not to advertising.

I've written before about unwanted software installed on users' computers via security holes. For example, in July I mentioned that 180solutions software was being installed through Internet Explorer vulnerabilities. (See also 1, 2, 3) More recently, researchers Andrew Clover and Eric Howes (among others: 1, 2) have described increasing amounts of unwanted software being installed through security holes.

How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site? I set out to see for myself -- by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still -- with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.

In my testing, at least the following programs were installed through the security hole exploit: 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy, ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates (a TopMoxie distributor), WinAD, and WindUpdates. (All programs are as detected by Ad-Aware.) I have reason to believe that numerous additional programs were also installed but were not detected by Ad-Aware.

See a video of the installations. The partial screen-shot at right shows some of the new directories created by the security exploit.

Other symptoms of the infection included unwanted toolbars, new desktop icons (including sexually-explicit icons), replacement desktop wallpaper ("warning! you're in danger! all you do with computer is stored forever in your hard disk ... still there and could broke your life!" (s.i.c.)), extra popup ads, nonstandard error pages upon host-not-found and page-not-found error conditions, unrequested additions to my HOSTS file, a new browser home page, and sites added to my browser's Trusted Sites zone.

When users agree to install Grokster, Grokster adds an exceptional bundle of 15+ programs. But Grokster also installs some of these unwanted programs even when users press CANCEL. Meanwhile, Claria's license is longer than ever. Worst of all, proposed federal legislation is weak and would largely allow these practices to continue.

Governor Schwarzenegger recently signed into law SB 1436 ("Computer Spyware"), a California bill that speaks to certain programs installed on users' computers. The bill admittedly speaks to programs that trick users, harm users, and take advantage of users. But its scope is so limited and its protections are so weak that this law is worse than no law at all. The bill lets Claria's practices -- including its lengthy and confusing license -- continue unmodified, so it's no surprise that Claria actually supports this approach.

Software from 180solutions opens double and hidden windows to claim affiliate commissions when users make purchases from targeted merchants.

Ever wonder who advertises on WhenU? A few reporters have tried to figure this out but have been stymied: Few companies care to talk about their use of Claria or WhenU. (WSJ [paid registration required], BusinessWeek).

So I thought I'd put together a list of all of WhenU's current advertisers -- all the companies showing graphical ads (not just sponsored link text) on WhenU's system. There are 234 distinct advertisers, by my count. The biggest advertisers (by advertisement count) are Priceline (51 ads), J.P. Morgan Chase (43), Casino On Net (37), Verizon (28), Orexis (24). Major advertisement categories:

Further down the list, 102 ads for insurance, 99 for sexual health (mostly Viagra and similar products) and even some ads for online psychics and online cigarette sales.

After closing arguments, Judge Fratto granted WhenU's Motion for Preliminary Injunction, enjoining current enforcement of the Spyware Control Act. Ruling from the bench, Judge Fratto stated that he was not persuaded that WhenU had satisfied the requirements of showing a substantial likelihood of prevailing on the merits of its constitutional challenge as to the spyware provisions of the Act, but that WhenU had satisfied such showing regarding the context-triggered pop-up ads provision. Nonetheless, Judge Fratto enjoined enforcement of the act in its entirety. See transcript of ruling.

For my perspective on the factual portion of the hearing, June 10-11, see Report from WhenU v Utah.

In April I mentioned WhenU's suit against the state of Utah, challenging Utah's recent Spyware Control Act. Oral argument took place yesterday and today as to WhenU's motion for preliminary injunction.

Lots of companies have a puzzling relationship with spyware. For example, a recent eWeek article pointed out the complexities in Yahoo!'s relationship with Claria: My research of last year found that yahoo.com is the the single most targeted domain of the many thousands Claria targets with its context-triggered popups. More recently, Yahoo! released a toolbar that uninstalls Claria software. These facts suggest that Yahoo! would dislike Claria and would actively oppose Claria's activities. Nonetheless, Yahoo! remains a major supplier to Claria (via Yahoo!'s Overture sponsored link service, which reportedly provides 30% of Claria's revenue, per Claria's S-1 filing).

Even more puzzling, Dell both suffers from spyware and receives web traffic from Claria's advertising services. In recent comments to the FTC (PDF page 70), Dell's Maureen Cushman reported that spyware is Dell's "number one call driver" as of late 2003, and that spyware is responsible for as much as 12% of calls to Dell tech support.

Nonetheless, my testing shows that Dell UK ads run on the Claria ad network. See the ad shown at right (among several other ads also from Dell UK), which I received while viewing the IBM.COM site. My further testing indicates that Claria shows several Dell UK ads when users visit the sites listed below (perhaps among others). (Note that users might have to visit particular parts of the sites listed here -- i.e. the computers section of amazon.co.uk, not just other parts of the Amazon site.)

Dell staff tell me that the ads were unauthorized, placed by an affiliate without Dell's permission. My inspection of the ads (and their link destinations) is consistent with this claim. But my inspection of Claria configuration files further suggests that the ads ran on the Claria network since at least February 6, 2004 -- some four months ago. Why didn't Dell notice this problem until I brought it to their attention?

If this is just a glitch, what procedures could Dell (and other companies) implement to make sure their ads are placed through only authorized channels? I'd be honored to work with interested advertisers to think through the possibilities for automatic or scheduled monitoring, testing, etc.

A note on my research methods: In May-June 2003, I offered a Gator real-time testing service that reported, on request, which ads (if any) targeted a given web site. I have subsequently disabled this site, so it provides only archived data. But I can still provide current Gator targeting data upon request. Interested readers, please get in touch by email.

Every program installed on users' PCs exposes users to potential security risks -- for any program can contain design flaws that let attackers take control of a user's computer. But experience shows some kinds of programs to be far more risky than others. Frequent readers of my site won't be surprised to learn that software from WhenU, distributed on WhenU's own web site until mere weeks ago, is among the programs with security vulnerabilities that let attackers take over users' PCs. My new WhenU Security Hole Allows Execution of Arbitrary Software explains the specific WhenU software found to be vulnerable, and shows what an attacker would have to do to take advantage of the vulnerability.

In July 2003, I noticed -- and shortly notified WhenU -- that WhenU's software transmits to its servers the URLs that users visit, and that it does so every time it shows a user an ad. What's the big deal? WhenU's privacy policy said it wouldn't do this: "URLs visited ... are not transmitted to whenu.com or any third party server." Many of WhenU's software installers carry an even more explicit, but equally false, statement: "... does not track, collect or send your browsing activity anywhere." What did WhenU do in response to my notification? Nothing, so far as I know.

Fast-forward eight months. I mentioned WhenU's privacy violation in my FTC comments (PDF), and an FTC workshop speaker mentioned it (citing me) in his oral comments, with WhenU's CEO and counsel present in the room. What did WhenU do? Again, nothing, so far as I know.

But this past Friday, I released to the public my new WhenU Violates Own Privacy Policy. I've revised my research of last summer and this spring -- explaining things a bit more clearly, better tracking the duration and scope of the violation, and adding formatting to make the work easier to read. What did WhenU do? This time, finally, WhenU changed its privacy policy, to better describe its actual practice. But WhenU only made the change in some places -- namely only on its web site, but not in the installer screens users look at as they decide whether or not to install WhenU software. So even today, as users install WhenU software, they are told -- falsely -- that WhenU doesn't track, collect, or send their browsing activity. (screen-shots)

This is a troubling situation: For one, there's the ten month lag between the violation first being brought to WhenU's attention, and WhenU doing anything to even begin to address it. Then there are the thirty million users who reportedly run WhenU software. As users installed WhenU's programs, WhenU promised not to send or track which URLs they visited. Instead, WhenU sent this information all along, and even continues sending it this very minute. Can WhenU correct the violation merely by changing its privacy policy web page?

Today I released WhenU Spams Google, Breaks Google 'No Cloaking' Rules, documenting at least thirteen web sites operated with WhenU's knowledge and approval (if not at WhenU's specific request) that use prohibited methods to attempt to manipulate search engine results as to searches for WhenU and its products.

On Monday I was in DC for the FTC's Spyware Workshop. I thought the final panel, Governmental Responses to Spyware, did a fine job of explaining the legislative options on the table, and of noting the pressure to address the problem of spyware for the large and growing number of affected users. But I was dismayed that the first panel (Defining Spyware) classified as fine and unobjectionable certain programs that, in my experience, users rarely want, yet often find installed on their computers. Key among these undesired programs are software from Claria (formerly Gator) and WhenU. The technical experts on the second and third panels agreed that these programs pose major problems and costs for users and tech support staff. Yet the first panel seemed to think them perfectly honorable.

Yesterday WhenU filed suit in Utah, seeking that Utah's Spyware Control Act be declared void and invalid.

2) Methods and Effects of Spyware (PDF) is my written response to the FTC's call for comments (PDF) on spyware. I explain how spyware works, including presenting specific personal information transmitted by both Gator and WhenU. (The WhenU transmissions are particularly notable because these transmissions seem to violate WhenU's own privacy policy.)

Gambling, Betting and Bingo	327 advertisements	49 advertisers
Loans	263 advertisements	35 advertisers
Travel	213 advertisements	21 advertisers