I recently had the honor of serving as an expert witness in The People of the State of California ex. rel. Rockard J. Delgadillo, Los Angeles City Attorney v. Intermix Media, Inc., Case No. BC343196 (L.A. Superior Court), litigation brought by the City Attorney of Los Angeles (on behalf of the people of California)against Intermix. Though Intermix is better known for creating MySpace, Intermix also made spyware that, among other effects, can become installed on users’ computers without their consent.
On Monday the parties announced a settlement under which Intermix will pay total monetary relief of $300,000 (including $125,000 of penalties, $50,000 in costs of investigation, and $125,000 in a contribution of computers to local non-profits). Intermix will also assure that third parties cease continued distribution of its software, among other injunctive relief. These penalties are in addition to Intermix’s 2005 $7.5 million settlement with the New York Attorney General.
In the course of this matter, I had occasion to examine my records of past Intermix installations. For example, within my records of installations I personally observed nearly two years ago, I found video evidence of Intermix becoming installed by SecondThought. By all indications, SecondThought’s exploit-based installers placed Intermix onto users’ computers without notice or consent.
Using web pages and installer files found on Archive.org, I also demonstrated that installations on Intermix’s own web sites were remarkably deficient. For example, some Intermix installations disclosed only a portion of the Intermix programs that would become installed, systematically failing to tell users about other programs they would receive if they went forward with installation. Most Intermix installations failed to affirmatively show users their license agreements, instead requiring users to affirmatively click to access the licenses; and in some instances, even when a user did click, the license was presented without scroll bars, such that even a determined user couldn’t read the full license. Furthermore, some Intermix installations claimed a home page change would occur only if a user chose that option ("you can choose to have your default start page reset"), when in fact that change occurred no matter what, without giving users any choice.
Remarkably, I also found evidence of ongoing Intermix installations, despite Intermix’s 2005 promise to "permanently discontinue distribution of its adware, redirect and toolbar programs." For example, in my testing of October 2006 and again just yesterday, the Battling Bones screensaver (among various others) was still available on Screensavershot.com (a third-party site). Installing Battling Bones gives users Intermix’s Incredifind too. Even worse, this installation proceeds without any disclosure to the user of the Intermix software that would be installed. (Video proof. The installer’s EULA mentions various other programs to be installed, but it never mentions Intermix or the specific Intermix programs that in fact were installed.) Furthermore, I found dozens of ".CAB" installation files still on Intermix’s own web servers — particularly hard to reconcile with Intermix’s claim of having abandoned this business nearly two years months ago. Truly shutting down the business would have entailed deleting all such files from all servers controlled by Intermix.
I continue to think there’s substantial room for litigation against US-based spyware vendors. I continue to see nonconsensual and materially deceptive installations by numerous identifiable US spyware vendors. (For example, I posted a fresh Ask.com nonconsensual toolbar installation just last month. And I see more nonconsensual installations of other US-based vendors’ programs, day in and day out.) These vendors continue to cause substantial harm to the users who receive their unwanted software.
Technology news sites and forums have been abuzz over the FTC’s proposed settlement with Zango, whose advertising software has widely been installed without consent or without informed consent. I commend the FTC’s investigation, and the injunctive terms of the settlement (i.e. what Zango has to do) are appropriately tough. Oddly, Zango claims to have "met or exceeded the key notice and consent standards … since at least January 1, 2006." I disagree. From what I’ve seen, Zango remains out of compliance to this day. I’m putting together appropriate screenshot and video proof.