Google claims to be on the right side of the spyware problem. Its May 2004 Software Principles set out lofty (if somewhat vague) standards for installation notice consent. Its Google Toolbar installer gives impeccable disclosure and obtains true, meaningful, informed consent. (See page 7 of my FTC Comments (PDF).) And Google is a victim of spyware: I’ve tested and studied a number of programs that add bogus search results and advertisements to Google.com results, tarnishing Google’s brand and siphoning advertising revenues that would otherwise accrue to Google.
If a user presses yes, the user receives certain extra software, often including software that many users would call spyware. The screenshots above show an attempted installation of Elitetoolbar. I have also observed similar popups attempting to install software from Crazywinnings (repeatedly falsely claiming "you have to click yes to continue" if users initially decline the installation) and from Direct Revenue. See a video of the repeated Crazywinnings installation attempts. See also additional screenshots (1, 2, 3, 4) of other software installations and/or other infected Blogspot pages.
Who’s Responsible, and Who’s Able to Stop This Mess?
The popups at issue come from a service called iWebTunes.com. iWebTunes recruits blog authors by giving them music to add to their blogs or other web sites. But as users view the resulting blogs, iWebTunes shows software installation popups to attempt to foist extra programs onto users’ computers. These programs likely pay iWebTunes a commission for each resulting installation.
Users have reported unwanted software offered by Blogspot sites since at least September 2004. See a September 15, 2004 blog post complaining of spyware received from iWebTunes. I reported these problems to Google staff last week, including a specific example of an infected site. But so far Google has taken no action to stop the misleading popups on this site or others. A recent Blogspot tech support response admitted the problem, at least generally, but offered no specific approcah or timetable for resolution.
So Google is in a natural position to stop this problem. But it’s not the only company that could take action here. As I pointed out earlier this month, VeriSign plays a key role in authorizing ActiveX security warnings like that shown above: The misleading popups are only shown if they carry valid digital certificates, and VeriSign is the primary issuer of such certificates. VeriSign’s existing rules disallow using VeriSign-issued certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” I consider the programs above to be harmful for their addition of unwanted software including toolbars, silent auto-updaters, and systems that track and transmit certain personal information. Especially when combined with the popups’ false claims ("… out of date browser" and "you have to click yes") and especially in light of the other misleading circumstances of installation, I see ample basis to conclude that the popups are malicious. These software installation attempts are therefore arguably prohibited by existing VeriSign rules. But I’ve seen little sign of VeriSign acting to enforce its rules. VeriSign’s code signing site offers no obvious standards or procedures for assessing or reporting violations.
More on Google and Spyware: Sponsored Link Advertising from So-Called Spyware Removers
These misleading Blogspot popups are not Google’s only ties to spyware companies. Eric Howes has posted a warning he calls Google & Anti-Spyware Products: Be Wary of Paid Search Results. Eric and others have put together a list of “rogue/suspect” anti-spyware applications that are at best useless (failing to detect or remove bona fide spyware) and at worst malicious (installing new spyware of their own). Comparing current Google advertisers for a search on "spyware" with Eric’s impressively detailed list yields surprisingly numerous matches.
According to Google’s Software Principles, companies should "keep good company" by avoiding doing business with those who don’t meet ethical standards. Yet Google somehow continues to show ads for — and accept advertising payments from — companies whose supposed anti-spyware tools merely take advantage of users’ spyware worries. Google has made some progress at cleaning up the most dishonorable advertising for anti-spyware searches, but its AdWords advertising remains a poor, unreliable source for consumers to find reputable, high-quality anti-spyware applications.