Featured Research

180solutions & Affiliate Commissions (NEW)

Advertisers Using WhenU (NEW)

WhenU Violates Own Privacy Policy (NEW)

WhenU Spams Google, Breaks "No Cloaking" Rules

Documentation of Gator Advertisements and Targeting

"Spyware": Research, Testing, Legislation, and Suits

Benjamin EdelmanDirect Revenue Deletes Competitors from Users' Disks

December 7, 2004 - Updated February 8, 2005

[ home | bio | publications | media coverage | invited presentations ]
[ email ]
[ request project updates ]


For companies making programs that show users extra pop-up ads, one persistent problem is that users are bound to take action once their computers get too clogged with unwanted software. Find a removal tool, hire a technician, reinstall Windows, buy a new computer, or just stop using the Internet -- whatever users do, the pop-up companies won't make any more money if users don't keep surfing, and don't keep clicking the ads. The problem is all the worse because so many unwanted programs install others (usually in exchange for a per-install commission). So if a user has one program showing extra pop-ups, the user might soon have five more.

What's an "adware" company to do? Direct Revenue has one idea: Delete its competitors' programs from users' hard disks. With the other programs gone, users' computers will run more or less as usual -- showing some extra ads from Direct Revenue, but perhaps not attracting so much attention that users take steps to remove all unwanted software.

Direct Revenue's End User License Agreement provides, in relevant part:

"[Y]ou further understand and agree, by installing the Software, that BetterInternet and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer ..."

In my recent testing, I've observed the removals Direct Revenue's EULA seems to anticipate. And I'm not the only one: I've just received a copy of a lawsuit filed by Avenue Media, complaining that Direct Revenue is "systematically deleting Avenue Media's Internet Optimizer without users' knowledge or consent." Indeed, in my November 17 testing, I found that software installed on my PC by ABetterInternet (a product name used by Direct Revenue) received the following instructions from its targeting server, calling for the removal of Avenue Media's Internet Optimizer:

request for instructions from server
POST /bi/servlet/ThinstallPre HTTP/1.1
...
Host: thinstall.abetterinternet.com

begin response from server

excerpted to show only removal
code targeting Internet Optimizer
HTTP/1.1 200 OK
Date: Wed, 17 Nov 2004 15:31:00 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Length: 3881
Connection: close
Content-Type: text/xml
list of running processes to stop ("kill")

<install><action type="KillProc">
<proc exe="optimize.exe" />
</action>
start of an ".INF" file
(in usual Windows .INF format)
...
<action type="installINF">
<inf section="DefaultInstall">
...
[DefaultInstall] ...
DelReg=RegistryEntries
DelFiles=ProgFiles,systemFiles
registry entries to be removed
...
[RegistryEntries] ...
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,"Internet Optimizer"
...
files on disk to be removed
[ProgFiles]
\Internet Optimizer\actalert.exe,,,1
\Internet Optimizer\optimize.exe,,,1
\Internet Optimizer\update\actalert.exe,,,1

In my testing, Direct Revenue's software acts on these instructions -- stopping the optimize.exe task (Internet Optimizer's main program), then deleting the associated registry entries and program files. So I think Avenue Media is correct as to the basic facts of what's happening. Conveniently, in tests beginning on November 17, I even made videos showing Internet Optimizer's software being deleted -- files eerily disappearing as Direct Revenue's software deleted Internet Optimizer along with other targeted programs.

How do I happen to have records, logs, and even videos of events occurring several weeks ago? As it turns out, both Internet Optimizer and Direct Revenue were unwanted additions to my test PC: Both were installed through security holes, much like the installations I documented in my Who Profits from Security Holes? write-up and video last month. I've been making more such videos -- roughly one a day for the past few weeks. So I've repeatedly seen Direct Revenue removing Internet Optimizer.

In my security-hole videos, I never saw nor accepted any Direct Revenue license. So, at least as to me, Direct Revenue cannot convincingly cite its EULA to defend its removal of Internet Optimizer. (See also my recent analysis of Gator's EULA.) However, my test PC became noticeably faster after Direct Revenue removed other unwanted programs that had been installed through security holes. So, for some consumers, Direct Revenue's removal of competitors' programs may offer a useful if surprising benefit. (Compare: Radlight removing Ad-Aware, without any apparent benefit to consumers.)

Return to top

Case documents: Avenue Media v. Direct Revenue

As promised: Internet Optimizer's case documents, alleging claims under the Computer Fraud and Abuse Act as well as for tortious interference with economic relations:

Complaint: Avenue Media, N.V. v. Direct Revenue LLC, BetterInternet LLC (PDF)
Memorandum in Support of Temporary Restraining Order (PDF)
Declaration of Moses Leslie (PDF)
Response by Direct Revenue (PDF) and supporting declaration of Joshua Abram (PDF)

Avenue may be suffering from wrongful behavior by Direct Revenue, but note that Avenue has problems of its own. In my tests, Avenue's software (like Direct Revenue's) was installed without any notice or consent whatsoever. (Again, I have video proof.) However installed, Internet Optimizer's primary function is to show extra advertising, primarily by replacing web browser error messages with its own ads -- not a feature most users request. In addition, Internet Optimizer's EULA admits to tracking web sites visited and keywords searched. Finally, Doxdesk reports that Internet Optimizer has (or recently had) security holes that risk unauthorized installation of other software.

Update (February 8, 2005): Avenue Media and Direct Revenue have reportedly reached a settlement. No money will change hands, but the companies have agreed to no longer disable each other's software.

Return to top

More on Direct Revenue

Removing competitors' programs is not Direct Revenue's only controversial activity. Direct Revenue's core business is showing extra pop-up ads. Which ads? Covering which sites? Early next year, I expect to release a report detailing some of the advertisers supporting Direct Revenue, and showing some ads Direct Revenue targets at certain web sites. Advance access available by request.

I also plan to present the sensitive information sent by Direct Revenue to its servers. In recent testing, I've seen Direct Revenue collect each user's ethernet address or "MAC address" -- a unique identifier permanently associated with each network card (i.e. with each computer). Direct Revenue also transmits users' Windows product IDs -- of particular interest due to their use in Microsoft's product activation system.

I have recently observed that Direct Revenue tracks the .EXE names of all running tasks, specifically checking for installations of certain competing programs (including Gator and 180solutions) and for certain spyware-removal programs (including Ad-Aware and PestPatrol). Direct Revenue checks for these programs in the same way it checks for Internet Optimizer -- suggesting that Direct Revenue might also target some or all of these programs for automatic deletion, just as it automatically deleted Internet Optimizer in the log shown above. That hypothesis is more than speculative: My November videos and packet logs show Direct Revenue deleting not just Internet Optimizer but also ActAlert/DyFuCa, EliteToolbar, and others.

Finally, note that Direct Revenue recently received $20 million of funding from Insight Venture Capital Partners, as well as $6.7 million from Technology Investment Capital Corp (TICC).