180solutions / Doll Idol - Critiquing 180solutions's Response
180solutions's Misleading Installation Methods - Doll Idol - Ben Edelman
On January 9, 2006, I posted 180solutions's Misleading Installation Methods - Doll Idol, analyzing current 180solutions "S3" installation practices. 180's Sean Sundwall subsequently posted a response (at ZDNet and at Vital Security). This page critiques each point of 180's response.
[ Targeting Kids | Off-Screen Footer without Scroll Bar | Failure to Disclose that 180 Shows "Pop-Ups" | Failure to Disclose Privacy Effects | Misleading and Missing Buttons in Installation Confirmation Window | Discouraging Removal ]
I claimed that 180 is "promot[ed] at sites targeted at children."
Sean responded that it is "patently false" that Dollidol is a child's site. Sean says "Dollidol.com is not targeted at kids, period."
I think Doll Idol's content (avatars in the style of barbie dolls) largely speaks for itself.
Some pages of the Doll Idol site specifically describe associations with children (e.g. the "school" category of avatars, listing ages as low as "first grade"). The rest of Doll Idol is consistently designed in a playful childlike style, featuring numerous pictures of teenage (or younger) girls.
Readers should visit Dollidol.com and draw their own conclusions as to its apparent audience.
Sean continued: "Suggesting that a site is targeted at children because it has animated characters is a bit naïve."
I disagree. It's not "naïve" to think a site targets kids when that site includes animated characters. To the contrary, longstanding FTC COPPA regulations specifically instruct considering the presence of animated characters when evaluating whether a web site is directed to children. See also FTC Rule 16 CFR Part 312, provision 312.2, defining sites "directed to children."
Beyond the presence of animated characters, the FTC's regulations also call for evaluation of a site's subject matter. Dollidol.com repeatedly references "dolls," including in the site's title and in its domain name. These many prominent refernces weigh towards a finding that the Dollidol site is targeted at kids.
The FTC's regulations further call for assessment of the age of any models pictured on a web site. Dollidol's sketches show young women who are distinctively young-looking. (See e.g. images above.) A mere 30 pixels below Dollidol's links to install 180solutions, Dollidol includes a prominent "put your photo on an avatar" feature with a photograph of a girl. See image at right. I estimate the model to be ten years old. The young age of the models pictured in Dollidol's sketches and photographs also indicates that the Dollidol site is targeted at kids.
Off-Screen Footer without Scroll Bar
I claimed that 180 "disclos[es] the presence of bundled 180solutions advertising software in an off-screen footer without scroll bars."
Sean responded that "When you have a screen resolution of 800x600, there are a lot of things you’re going to have to move around to see properly. ... Judging our business practices on an ancient screen resolution shows desperation."
Certainly users with bigger screens will see the 180 disclosure at issue (deficient as that disclosure's substance may be, per subsequent discussion). I never said anything to the contrary.
But 180's duty to disclose -- to provide appropriate information, so that users know what they're getting -- is a duty that applies to all users, not just to users who happen to own the latest computer technology. Sean and I are fortunate to have high-resolution screens where we can see large web pages as they were intended. But ordinary users shouldn't be tricked into installing 180 just because they have older PCs. And since extra software is particularly harmful to old PCs -- which are likely to be slowed more by nonessential programs running in the background -- I'm actually particularly concerned about unwanted 180solutions installations on such computers.
I'm hardly the first to point out the need to provide appropriate disclosures even to users with older computer technology. See the FTC's 2000 "Dot Com Disclosures," which specifically warns advertisers "Don’t ignore technological limitations" (section 1.c.i.) when providing disclosures.
Failure to Disclose that 180 Shows "Pop-Ups"
I claimed that 180 "fail[s] to disclose that 180's ads are shown in pop-ups."
Sean responded that "We will be changing the language in our plain-language disclosure to better address the types of ads we serve."
I applaud this change. If users are told that 180 will show "pop-up ads," users will be better able to assess whether 180 is a program they want on their PCs.
I pointed out that 180's disclosures fall short of requirements of TRUSTe's Trusted Download program.
Sean adds that TRUSTe's software download standards are "not yet a standard," therefore not binding on 180.
I agree, but that's irrelevant. 180 has a preexisting duty to disclose material effects of its software. Here again, see the FTC's "Dot Com Disclosures," which require that "material information" be disclosed "clear[ly] and conspicuous[ly" before a user enters into a transaction. Under FTC rules, material information is information likely to affect a consumer's conduct with respect to an offer.
Since users are known to hate pop-up ads, reasonable consumers are less likely to install software that shows "pop-ups" rather than ordinary "advertisements" (e.g. within a program window). So this characteristic of 180's software is material. As such, under existing FTC rules, 180 must disclose that its ads will appear in pop-ups.
Failure to Disclose Privacy Effects
I claimed that 180 "fail[s] to disclose the privacy consequences of installing 180's software." I described 180's privacy effects as "track[ing] what web sites users visit and ... send[ing] this information to 180's main servers."
In response, Sean claimed that "180solutions does not 'track what web sites users visit and ... send this information to 180's main servers.'"
Sean's claim is false. 180 absolutely does track what web sites users visit.
In 2004, I posted a packet log showing a 180solutions transmission of the specific URL I visited on a test PC. (I have continued to observe near-identical transmissions from 180solutions software through the present day.) Copying here for readers' convenience:
keyword triggerGET /showme.aspx?keyword=delta.com&did=762&ver=5.9
The yellow highlighting (above) shows that 180 does track what web sites users visit. In the example above, 180 tracked and transmitted the fact that I was browsing the www.delta.com web site.
Sean's response cloaks 180's tracking in a variety of euphemisms -- "we parse the URL string for keywords" and "send a request to our servers." Whatever complicated language Sean chooses to describe 180's behavior, my initial article describes 180's practices with appropriate clarity: 180 tracks what web sites users visit.
Sean further commented that "As far as privacy concerns, I’m not sure what they are."
I'm surprised that the head of communications for a major "adware" vendor is "not sure" about the privacy concerns associated with his employer's software. Sean might prefer not to discuss these consequences. But the consequences are real and, for many users, serious.
As described above, 180 tracks what web sites users visit. Users have good reason to be concerned about these transmissions. Even a partial list of users' web site visits and search terms can be extremely revealing, capturing detailed and sensitive information. When I last reviewed 180's ad target list, I saw tracking of the most sensitive of web sites -- not just financial sites (like banks and credit card sites) but job search sites (jobs.com, hotjobs.com, etc.) and even health sites (aids.org, aidsaction.org, breastcancer.org, etc.). Reasonable users may not want 180 to know that they're visiting such sites. And while 180 may not know users' names, 180 does assign each user a distinct ID code (green highlighting above). These ID codes allow after-the-fact searching if 180 so chooses -- or if subpoenas or other proceedings demand such information.
Misleading and Missing Buttons in Installation Confirmation Window
Referring to 180's use of the word "finish" to start an installation users had never requested, I claimed that 180 "us[es] misleading button labels to encourage installation."
Sean responded: "There is no trickery here unless you believe today's average computer user doesn't understand the word 'cancel.'"
The question at hand is not whether the "cancel" button is properly labeled. The question is whether the affirmative button, "Finish," is appropriate under the circumstances. My claim is that it is inappropriate to label a button "Finish" when that button starts a process a user had not previously requested. "Finish" suggests that the user had already agreed, that this final step is insubstantial and unimportant, and that important actions are already complete. In contrast, a label like "Accept installation" or "I agree" would tell a user, appropriately, that nothing has been done yet, that no permission has been granted yet, and that it's not too late to deny permission.
Sean says that my analysis "insults the intelligence of the increasingly savvy computer user."
I disagree. Savvy users may be able to figure out that 180's S3 screen is seeking permission to install software on their computers. But I'm concerned about more than just savvy users. I'm equally concerned about newbies, about kids, about confused users, and about users who are in a hurry.
180 distributes its software on mass-market web sites catering to ordinary users, and its installation procedures shouldn't only be accessible to experts. Instead, 180 should aspire to be as clear as possible as to what they seek to do, how, and why. Appropriate, accurate, clear language can assist users in quickly understanding and assessing 180's offer.
I claimed that 180 "hid[es] standard Windows buttons to hinder cancellation of installation."
Sean responded: "There are countless examples of reputable installation screens that do not have the “x” in the upper right hand corner. I get one from my Palm software every time I reboot my computer."
Certainly some programs properly display windows without "x" buttons. But I'm not sure that an "x"-less window is appropriate for an installation confirmation screen window. (And since Palm software is already installed on Sean's computer, I don't think his Palm windows are a good example of the "reputable installation screens" Sean claims lack "x" buttons.)
Official safe browsing tips (from the computer industry and even from the US government) specifically instruct users to press "x" in any unrequested popup, to reduce risk of installing software accidentally. By intentionally hiding this "x" button, 180 specifically blocks this industry-standard and government-endorsed method for users to protect themselves.
In 180's S3 installation box, the "x" button would perform the same function as pressing "cancel." Whatever the practices of other vendors, 180 should add this button to its windows, to give users an additional way to decline 180's offer.
I claimed that 180 "discourag[es] removal with false warnings of risks to other applications." I pointed out that 180 prominently says "uninstalling Zango will disable any Zango-based applications or tools on your computer," even when 180 knows that no such applications or tools have been installed.
Sean responded that "we do discourage uninstallation of our software but we do it without trickery and without fearmongering."
As an advertising technology company, 180 boasts of its "highly targeted" ads, which specifically respond to exactly what a user is doing online. But when it comes to 180's uninstaller, 180 is far less sophisticated. In particular, 180 shows its broad "will disable any Zango-based applications" whether or not any such applications have actually been installed. For users with no such applications -- users who received 180 at a site like Doll Idol -- this messaging is simply false. Whether or not this false statement amounts to "trickery" or "fearmongering," it improperly warns Doll Idol users about a problem they're certain not to face. In my view, this statement is misleading as to Doll Idol users, and it therefore should not be included in 180's uninstaller.
Telling users about the real negative effects of removing 180 is one thing. Making up effects they won't actually face is quite another.