Design of Search Engine Services: Channel Interdependence in Search Engine Results

Edelman, Benjamin, and Zhenyu Lai. “Design of Search Engine Services: Channel Interdependence in Search Engine Results.” Journal of Marketing Research (JMR) 53, no. 6 (December 2016): 881-900. (First posted April 2013.)

The authors examine prominent placement of search engines’ own services and effects on users’ choices. Evaluating a natural experiment in which different results were shown to users who performed similar searches, they find that Google’s prominent placement of its Flight Search service increased the clicks on paid advertising listings by more than half while decreasing the clicks on organic search listings by about the same quantity. This effect appears to result from interactions between the design of search results and users’ decisions about where and how to focus their attention: users who decide what to click based on listings’ relevance became more likely to select paid listings, while users who are influenced by listings’ visual presentation and page position became more likely to click on Google’s own Flight Search listing. The authors consider implications of these findings for competition policy and for online marketing strategies.

Advertising Disclosures: Measuring Labeling Alternatives in Internet Search Engines

Edelman, Benjamin, and Duncan S. Gilchrist. “Advertising Disclosures: Measuring Labeling Alternatives in Internet Search Engines.” Information Economics and Policy 24, no. 1 (March 2012): 75-89.

In an online experiment, we measure users’ interactions with search engines, both in standard configurations and in modified versions with clearer labels identifying search engine advertisements. In particular, for a random subset of users, we change “Sponsored links” or “Ads” labels to instead read “Paid Advertisements.” Relative to users receiving the “Sponsored link” or “Ad” labels, users receiving the “Paid Advertisement” label click 25% and 27% fewer advertisements, respectively. Users seeing “Paid Advertisement” labels also correctly report that they click fewer advertisements, controlling for the number of advertisements they actually click. Results are most pronounced for commercial searches and for vulnerable users with low education and little online experience.

Advertising Disclosures in Online Apartment Search with Paul Kominers

A decade ago, the FTC reminded search engines of their duty to label advertisements as such. Most general-purpose search engines now do so (though they’re sometimes less than forthright). But practices at specialized search engines often fall far short.

In today’s posting, Paul Kominers and I examine leading online apartment search services and evaluate the disclosures associated with their paid listings. We find paid placement and paid inclusion listings at each site, but disclosures range from limited to nonexistent. Where disclosures exist, they are largely hidden behind multiple intermediate pages, effectively invisible to most users. We propose specific ways these sites could improve their disclosures, and we flag their duties under existing law.

Advertising Disclosures in Online Apartment Search

A Closer Look at Google’s Advertisement Labels

Google's tiny 'Ads' labelGoogle’s tiny ‘Ads’ label

The FTC has called for “clear and conspicuous disclosures” in advertisement labels at search engines, and the FTC specifically emphasized the need for “terms and a format that are easy for consumers to understand.” Unfortunately, Google’s new advertisement labels fail this test: Google’s “Ads” label is the smallest text on the page, far too easily overlooked. (Indeed, as I show in the image at left, the “Ads” label substantially fits within an “o” in “Google.”) Meanwhile, Google now merges algorithmic and advertisement results merged within a single set of listings; Google’s “Help” explanations are inaccurate; and Google uses inconsistent labels mere inches apart within search results, as well as across services.

Details, including the shortfalls, screenshots, comparisons, and proposed alternatives:

A Closer Look at Google’s Advertisement Labels


Labels and Disclosures in Search Advertising

Disclosure: I serve as a consultant to various companies that compete with Google. But I write on my own — not at the suggestion or request of any client, without approval or payment from any client.

Search engines have long labeled their advertisements with labels like "Sponsored links", "Sponsored results", and "Sponsored sites." Do users actually know that these labels are intended to convey that the listings are paid advertisements? In a draft paper we’re posting today, Duncan Gilchrist and I try to find out.

"Sponsored Links" or "Advertisements"?: Measuring Labeling Alternatives in Internet Search Engines

In an online experiment, we measure users’ interactions with search engines, both in standard configurations and in modified versions with improved labels identifying search engine advertisements. In particular, for a random subset of users, we change "sponsored link" labels to instead read "paid advertisement." We find that users receiving the “paid advertisement” label click 25% to 33% fewer advertisements and correctly report that they click fewer advertisements, controlling for the number of advertisements they actually click. Results are most pronounced for commercial searches, and for users with low income, low education, and little online experience.

We consider our findings particularly timely in light of Google’s change, just last week, to label many of its advertisements as "Ads." On one view, "Ads"” is an improvement – probably easier for unsophisticated consumers to understand. Yet it’s a strikingly tiny label – the smallest text anywhere in Google’s search results, and about a quarter as many pixels as the corresponding disclosure on other search engines. As our paper points out, FTC litigation has systematically sought the label “Paid Advertisement, and we still think that’s the better choice.

What Claria Doesn’t Disclose (Any More)

Now that Claria no longer comes bundled with powerhouse distributors Kazaa and Grokster, and now that Claria has even terminated its fake-user-interface banner ads, one might reasonably wonder: How does Claria get onto users’ PCs? Last month I showed an example of Claria soliciting installations via banner ads served through other vendors’ spyware (which in turn had become installed without consent). But even Claria’s ordinary installations still fail to tell users what users reasonably need to know in order to make an informed choice. In particular, Claria’s current installations omit prominent mention of the word "pop-up" — the key word users need to read in order to understand what Claria is offering, and to decide whether to agree.

Claria’s Current Installation Procedure

Claria’s installations often begin with an innocuous-looking popup or popunder like the image below. These ads don’t mention Claria by name, don’t mention pop-ups or privacy consequences, and don’t mention any material adverse effects whatsoever. So it’s no surprise that users respond favorably to these offers.

Claria's initial installation solicitation, showing screensavers and mentioning that they are "free," but not mentioning that they come from Claria, that they bundle pop-up ads, or that they track where users go online.

Clicking one of Claria’s "free screensaver" ads yields a screen like that shown below. Users are specifically encouraged to click "yes." Once a user presses "yes," the user has no further opportunity to cancel installation of Claria’s software.

Claria's second installation screen.  Clicking "yes" once  installs Claria software immediately, with no further opportunity to cancel.

It’s well-known that users hate pop-up ads. But, tellingly, Claria currently fails to use the word "pop-up" anywhere in its on-screen disclosures. Claria calls its advertising "GAIN-branded ads," conveniently omitting the one word — "pop-up" — that best and most concisely describes its ads. Interestingly, Claria’s omission of the word "pop-up" reflects a change from its prior installation practice. Compare the two screenshots below, showing the prompt I observed in April 2005 (left) versus Claria’s current installation prompt (right). Notice inclusion of the word "pop-up" in the left prompt only.

Claria's April 2005 installation prompt, including the word "pop-up."   Claria's current ActiveX installation prompt -- omitting the word "pop-up."
April 2005

November 2005

Claria’s Compliance with Applicable FTC Rules

In an August 2004 interview, Claria chief privacy officer Reed Freeman set out Claria’s disclosure duties. "Material terms, as defined by the FTC, are those that are likely to affect a consumer’s conduct with respect to a product or service," Freeman explained, adding that existing law requires that "material terms have to be disclosed prior to a consumer [installing software]." Let’s accept Freeman’s statement of this rule. Surely the presence of extra pop-ups would deter a consumer from accepting Claria’s offer. If so, under Freeman’s own statement of existing law, Claria must disclose that it will show pop-ups.

Claria may try to defend its installations by noting that the word "pop-ups" appears in the "Final Step to download your free screensaver" screen, above. But in the default arrangement of windows, as they appeared on my ordinary SVGA screen, the "p" and "o" of "pop-up" were hidden behind the ActiveX popup, such that only the letters "p-ups" were visible. Hidden text cannot satisfy a FTC disclosure requirement. So this covered disclosure does not provide the kind of information that FTC rules require.

Claria may try to defend its installations by noting that it subsequently shows a "software utility user information" screen. Scrolling through this screen will ultimately lead to information about Claria’s pop-ups. But the document is lengthy, and typical users will not see the section that discusses pop-ups specifically. Furthermore, the document is shown only after users press Yes to install Claria; by the time users see this document, they can’t cancel the Claria installation. So this subsequent text cannot satisfy the requirement that disclosure occur "prior to a consumer installing software" (emphasis added).

Claria may try to defend its installations by noting its plan to move away from popups, in favor of ads embedded within partner web sites. But the Claria software I tested — the result of the installation shown and discussed above — still showed pop-ups, including a popup delivered mere minutes after I finished installation. These pop-ups are a material effect, under Freeman’s own statement of FTC rules. So whatever Claria’s future plans, Claria’s current pop-ups should be disclosed as such.

Some advertisers apparently stand ready to defend their use of advertising systems like Claria’s, and Claria counts as customers some of the country’s largest advertisers. But advertisers should demand better. If advertisers are prepared to show their ads in pop-ups, let them first obtain user consent — not vague consent to "ads," but specific consent to "pop-ups." Until Claria improves its installation procedures to provide this information, users who run Claria software can’t reasonably be claimed to know what they were getting into.

180 Talks a Big Talk, but Doesn’t Deliver updated February 4, 2005

The anti-spyware community has been abuzz all weekend with the news of spyware company 180solutions joining the Consortium of Anti-Spyware Technology (COAST). From the 180solutions press release:

"180solutions, a provider of search marketing solutions, today announced it has become a developer member of … COAST. … By working with COAST and complying with its strict Code of Ethics, standards and guidelines, 180solutions aligns itself with the organization’s governing companies, … PestPatrol, … Webroot. … “180solutions has passed a lengthy and rigorous review process demonstrating their commitment to develop and distribute spyware-free applications,” said Trey Barnes, executive director of COAST."

Some specific worries:

Substantive conflict of commitment

COAST members PestPatrol and Webroot currently detect and remove 180 software. So these companies are (rightly!) telling their users that 180solutions software should be removed from users’ computers.

At the same time, according to 180’s press release, 180solutions is "releasing versions of its applications that have been reviewed and evaluated by COAST." This press release, COAST’s "review" of 180 software, and COAST’s acceptance of 180 into its consortium can only be taken to constitute a COAST endorsement of 180. That’s a clear conflict with COAST members simultaneously recommending that users remove 180 software.

Then there’s the conflict of interest that inevitably arises whenever an anti-spyware company declares an alleged spyware provider to be legitimate. Users buying a vendor’s anti-spyware software think they’re buying that vendor’s best efforts to identify and remove software users don’t want. When the vendor instead accepts funds from a software provider, one making the kind of software that the vendor is supposed to be removing, users can’t help but wonder whose interests the vendor has in mind. To my mind, the better strategy is for anti-spyware vendors to refuse partnerships with any company making software that might colorably be claimed to be spyware. (See Xblock’s statement of policy.)

I don’t want to overstate the problem. So far, PestPatrol and Webroot still detect and remove 180 software. 180 isn’t listed on COAST’s Members page. And COAST members don’t directly receive the money 180 pays COAST.

But the latent problems remains: For a fee, COAST is certifying controversial providers of allegedly-unwanted software, dramatically complicating the role and duties of COAST and its members. COAST staff are providing favorable quotes in 180 press releases. Who can users trust?

180solutions installation practices are outrageous and unethical

180’s endorsement by COAST is particularly puzzling and particularly worrisome due to 180’s many bad business practices. Indeed, in my testing, 180’s installation practices remain among the worst in the industry. The details:

I have personally observed (and preserved in video recordings) more than two dozen instances of 180 software installed through security holes. (Example video.) Just yesterday, I browsed the Innovations of Wrestling site (, proceed at your own risk), where viewing the site’s privacy policy invoked a security exploit installing more than a dozen unwanted programs, 180solutions software included. (Note that iowrestling’s installations are at least partially random, so it’s hard to replicate this result. But I kept a video and packet log of my findings.)

Even when 180 installers do request consent to install, the disclosure is often quite misleading. For example, I previously documented Kiwi Alpha installing 180, first mentioning 180 at page 16 of a 54-page license agreement. With 180’s installation warning buried in such a long text, ordinary users are unlikely to learn that Kiwi gives them 180. Certainly users don’t grant knowing consent to the installation.

180’s web site claims "no hiding," but 180 uses a variety of tricks to make its software harder to find and remove. 180 sometimes uses randomized filenames which make its files unusually difficult to locate. 180 also installs itself into multiple directories — sometimes c:Program Files180solutions (or similar), but sometimes into the root of c:Program Files and sometimes directly into a user’s Windows directory. If uses do manage to find and delete some 180 files, another 180 program often pops up to request reinstallation. If these tricks don’t constitute hiding, I don’t know what does.

180’s controversial installation practices are not mere anomalies. I’ve observed these, and others like them, for months on end. Even 180solutions’ director of marketing sees the problem. See Seattle Post-Intelligencer article, reporting his admission that "n-Case could get bundled with other free software programs without the company’s knowledge [which] could lead to the n-Case software fastening to individual’s computers without their knowledge."

How did 180 get into this mess? It seems 180 hasn’t been careful in choosing who they partner with. In fact, they recruit distributors (as well as advertisers) by unsolicited commercial email. See 20+ examples.

Interestingly, in its recent press release, 180 does not claim to have stopped these controversial practices. If 180 did make such a claim, I’d be able to disprove it easily — there are so many sources of 180 software installed without notice and consent. Instead, 180 claims only that they are working on a "transition" to improved business practices.

But this isn’t the first time 180 has promised to clean up its act. In March 2004, 180’s CEO claimed 180’s "Zango" product — then the new replacement for the older n-CASE — would give users more information before installation. In an April interview, he attributed to the old n-CASE product "certain users … who are not sure where or how they got our software," but said "the Zango product … is a means to improve that." On at least these two occasions, 180 has pledged to improve its practices. Nearly a year later, 180 software often still gets installed without notice or consent. So we’re still waiting for the promised improvements. Meanwhile, 180 continues to benefit profit from its millions of ill-gotten installations.

180solutions advertising practices are outrageous and unethical

Beyond controversial installation methods, 180 also deserves criticism for its intrusive and allegedly-anticompetitive advertising practices.

180 covering with Hawaiian Airlines web site180 covering with Hawaiian Airlines web site

When 180 covers a web site with one of its competitors, 180 doesn’t just show a small popup ad (like, say, Claria — not that Claria’s practices deserve praise). Instead, 180 opens a new web browser showing the competitor’s site, generally covering substantially all of the targeted web site. A user who wants to stick with the site he had previously requested must affirmatively close the new window — taking an extra step due to 180’s intervention. What would we think of a telephone company that connects a user to Gateway when the user dials 1-800-Dell-4-Me, unless the user then presses some extra key to return to what he had requested initially? The real-world analogy makes it almost too easy to assess 180’s legitimacy: No telephone company could get away with such a scam, yet 180’s advertising practices have gone largely unchallenged.

Even more problematic are 180 ads targeted at competitors’ check-out pages. Sometimes 180 lets a user browse a merchant’s web site uninterrupted, but when the user reaches the page requesting order confirmation, 180 then covers the merchant’s site with a competitor — interrupting the user’s purchase. Again, the real-world analogy is straightforward. Suppose one retailer sent its sales employees into a competitor’s store, to invite users to take their business elsewhere as they waited in line to reach the checkout counter. The intruding employees would be arrested as trespassers.

Then there are the thousands of 180 ads that include affiliate codes. Some of 180’s ads cover a web site with a competitor reached through an affiliate link. Via these ads, companies find themselves promoted by 180, and find themselves directly or indirectly paying commissions to 180 — all despite never requesting that 180 advertise or promote them.

Even worse are the 180 ads that target a merchant with its own affiliate links. Here, merchants end up paying affiliate commissions where they’re not otherwise due. For example, when users reach merchants’ sites by clicking through non-affiliate links or by typing merchants’ domain names, 180 nonetheless intercedes by opening affiliate links to merchants’ sites. Whether shown in double windows, hidden windows, or on-screen decoys, 180’s affiliate links make merchants’ commission-tracking systems think resulting purchases resulted from 180’s promotional efforts. Unless merchants figure out that they’re being cheated — being asked to pay commissions not fairly earned — 180 and its advertisers receive commission payments for users’ purchases. (Details; example.)

There’s plenty more to criticize about 180. To this day, installations on let users install 180 software without so much as seeing 180’s license agreement. Even 180’s current uninstall procedures give far more information than 180 provides prior to installation. And Andrew Clover reported 180 code that deletes competitors’ programs from users’ disks.

COAST’s credibility on the line

180’s claims of planned improvement are essentially unverifiable. Since 180 admits to a mix of permissible and impermissible installations, its claims of improvement cannot be falsified by critiquing current behavior. Instead, whenever I or others show 180 software installed without proper notice and consent, 180 can say this is just a remnant of prior practices not yet cleaned up in "transition." By the plain text of 180’s press release, we’ll have to wait at least 90 days to prove that 180 isn’t living up to its promises to COAST and to users.

Why would COAST sign onto this bargain? MediaPost reports 180 paying COST a membership fee as large as $10,000 per year, so that gives one clear explanation. Also, notwithstanding participation by PestPatrol and Webroot, COAST’s past is hardly uncontroversial. In 2003, Lavasoft (makers of Ad-Aware) decided to leave COAST, complaining that COAST’s focus on "revenue generation … reflect[s] badly on the entire anti-trackware industry." Similarly, Spybot refused to join COAST due to participation by companies that were, in Spybot’s view, unethical.

COAST’s credibility is on the line. I don’t see endorsement of software providers as an appropriate part of COAST’s mission. But even if such work were appropriate, 180 deserves no such praise — its history of outrageous practices and its continued use of such practices mean it should be criticized, not granted an award or endorsement.

Update (February 4): Reporting "concern" at COAST’s certification program, Webroot resigned from COAST.

Update (February 7): Computer Associates (makers of PestPatrol) also resigned from COAST. However, a CA spokesperson defended COAST’s endorsement procedure, calling such endorsements "valuable."

Disclosure: I serve as a consultant to certain merchants concerned about fraudulent activities by 180solutions and its advertisers. I have advised certain attorneys and merchants concerned about 180solutions activities and practices.

Claria’s Practices Don’t Meet Its Lawyers’ Claims

Among the highlights of my winter holiday reading was a MediaPost interview of Reed Freeman, chief privacy officer of Claria. Freeman makes a series of claims about Claria’s practices — setting out high standards that he claims Claria already meets. As it turns out, his claims are in multiple instances verifiably false.

Removing Claria Programs – Neither "Intuitive" Nor "Standard"

Freeman claims that Claria has "the intuitive and standard Windows uninstall process." I disagree.

Install Claria software in a bundle with Kazaa, and there will be no "Claria," "Gator," or "GAIN" listing in Control Panel’s Add/Remove Programs. Same for the other programs that bundle Gator (like DivX and Grokster). Instead, users who want to remove Gator are required to figure out that they need to select the "Kazaa" entry in Add/Remove Programs. That’s neither intuitive nor standard.

Claria admittedly sometimes tells users about its unusual removal procedure. Five pages (370+ words) into Claria’s license (as shown by Kazaa), Claria mentions "If you would like to stop receiving GAIN-branded advertisements, you will need to remove all GAIN-Supported Software on your computer using … Add/Remove Programs."

Screen-shot showing that when  Zango comes with Secret Chamber, Zango receives a separate entry in Add/Remove Programs.  Claria's Gator, in contrast, lacks such an entry.Screen-shot showing that when Zango comes with Secret Chamber, Zango receives a separate entry in Add/Remove Programs. Claria’s Gator, in contrast, lacks such an entry.

But Freeman doesn’t claim that Claria’s uninstall process is well-documented. He claims it’s "standard." To the contrary, when other programs come in bundles, they generally include separate entries in Add/Remove Programs. For example, when RealPlayer comes with Google Toolbar, each program gets a separate Add/Remove listing. Even among so-called "adware" programs (that monitor users’ web browsing and show advertisements), Claria’s approach is unusual. When 180solutions Zango comes bundled with other programs (like Zango Games’ Secret Chamber), Zango has its own entry in Control Panel. See screen-shot at right.

Neither is Claria’s uninstall procedure "intuitive." The intuitive way to remove an unwanted program is to find it, by name, in Add/Remove Programs. Claria makes the process harder by forcing users to figure out which programs bundled which — an unnecessary procedure that is not "intuitive." The process becomes even more difficult when Claria cross-promotes its various products: Once a user receives Claria’s advertising-display software, Claria often shows pop-ups that encourage installation of other Claria programs, such as clock synchronizers and weather monitors. As a result, many Claria users run multiple "Gator-supported" applications, each of which must be separately identified and removed to complete Claria’s so-called "intuitive" uninstall.

Also nonstandard is Claria’s prohibition on using "unauthorized" removal methods (namely, removal tools like Ad-Aware and Spybot). See my earlier Gator’s EULA Gone Bad.

One-Step Install, Harder Uninstall

A Claria drive-by installer, installing Claria software (without any further request for consent) if users press Yes.A Claria drive-by installer, installing Claria software (without any further request for consent) if users press Yes.

Freeman later reports "The FTC has long taken the position that consumers should be able to get out of the bargain just as easily as they got into it." Turning to Claria’s practices, he claims "you can get into our bargain by responding to an ad, and you can get out of our bargain by responding to an ad."

Freeman makes it sound like removing Claria is as easy as getting Claria, but that’s just not the case. Claria software can become installed after only a single click on a single "Yes" button in a Claria "drive-by" ActiveX pop-up (like the one at right).

Claria uninstallation screen, adding additional steps to attempts to remove Claria software.Claria uninstallation screen, adding additional steps to attempts to remove Claria software.

In contrast, removing Claria requires a longer procedure. At best, click Start – Settings – Control Panel – Add/Remove Programs, then find the installed Claria or third-party program, press Remove, and press Next twice (eight clicks total) . The final two clicks are necessary to decline Claria’s pleas to remain installed. (See the screen-shot at left.) Through this procedure, Claria requires triple confirmation before its software can be uninstalled, even though Claria had requested no extra confirmation to get onto users’ PCs.

So users can receive Claria by clicking once on a single ad, but removing Claria requires many more steps. This design seems like a clear violation of the "get out … as easy as … got in" rule Freeman attributes to the FTC. Why not place a one-click uninstall button on every Claria ad, so users can remove Claria as easily as they got it?

Telling Users What Claria Really Does

Freeman further notes the importance of disclosing what a program will do before that program is installed on a user’s PC. Freeman explains:

"The law is that material terms have to be disclosed prior to a consumer’s taking action. … Material terms, as defined by the FTC, are those that are likely to affect a consumer’s conduct with respect to a product or service. … In my view, the key terms that consumers should know–those that consumers would be unhappy if they didn’t know–are that we will track your online behavior and serve you advertising. Those key material terms are disclosed in every download process … in a way that is unavoidable prior to the consumer taking action "

I applaud Freeman’s emphasis on timely disclosures. But here too, Claria’s actual practices fall short.

Claria’s prominent disclosures say nothing of transmission or storage of users’ activities. The first page of Claria’s license (as shown by the Kazaa installer) mentions that advertisements are "selected in part based on how you surf the Web." From this disclosure, users could reasonably conclude that Claria’s software chooses ads by mere monitoring of users’ activities — observing a user at one travel site, then showing a pop-up ad for another.

But as it turns out, Claria does more. Claria transmits users’ activities to its servers, then stores this information in a huge database. A November 2003 eWeek article reported that Claria’s then-12.1 terabyte database was already the seventh largest in the world — bigger than Federal Express, and rivalling Amazon and Kmart. A recent Oracle press release touted Claria as "one of the the world’s largest Oracle Data Warehouse … deployments."

Claria’s license fails to prominently disclose transmission and storage of users’ activities. That advertisements are "selected in part based on how you surf the web" says nothing of any central Claria database recording who goes where. Only at page 11 of 63, 950 words into its 5,900+ word license, does Claria finally explain its true design — transmitting user activities to Claria servers — by admitting that "we do know … some of the web pages viewed" (emphasis added).

Screen-shot showing the disclosure shown by Zango when bundled with Secret Chamber.  Zango prominently discloses that it Screen-shot showing the disclosure shown by Zango when bundled with Secret Chamber. Zango prominently discloses that it “collects” information about users’ web site visits.

Here again, Claria’s disclosure is inferior to its competitors. 180solutions software is sometimes installed without any notice or consent at all — for example, through security holes. (video) But when 180 requests permission to install, it offers a more forthright description of its intended activities. For example, when installed with the Secret Chamber video game, 180 prominently discloses: "Zango collects … information about the websites a user visits." (screenshot)

A user who receives 180’s disclosure learns that 180 will not only monitor online behavior, but also collect this data. That’s a fact 180 seems to regard as relevant — worth bringing to users’ attention, beyond fine print midway through a long license agreement. It’s a fact of likely interest to many users — who may not want their data stored, perhaps permanently, on Claria’s servers. So this transmission and collection is, in Freeman’s words, a fact consumers "would be unhappy if they didn’t know." By Freeman’s own standard, then, this fact ought to be more prominently presented in Claria’s disclosure — on page one, not page eleven.

Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It

I’ve recently been looking at the unwanted software installed by Grokster (a peer-to-peer filesharing program). Eric Howes has documented Grokster’s exceptionally large bundle, which includes Claria, 411 Ferret/ActiveSearch, AdRoar, Altnet/BDE, BroadcastPC, Cydoor, Flashtrack, MyWay/Mybar, SearchLocate/SideBar, Topsearch, TVMedia, VX2/ABetterInternet, Browser Hijack, two different TopMoxie programs (branded by WebRebates), and several other programs not yet identified.

These programs, in combination, place a major burden on users’ computers: Loading and running so many extra tasks leaves less memory, less bandwidth, and less CPU time for whatever users actually want to do. My lab PCs are fast and well-maintained, but installing Grokster and its bundle makes them sluggish and hard to use. Worse, it’s hard to undo the damage Grokster and its partners cause: Eric also tracks, in unprecedented detail, how even the newest spyware removal applications can’t get rid of all the programs Grokster installs. It’s a mess, Eric’s site explains, and he’s surely right.

But as it turns out, the situation is even worse than Eric realized. As Eric explains, Grokster installs lots of junk if a user presses Accept. However, Grokster also installs software even if the user presses Cancel! That’s right: If a user has second thoughts after seeing the long license agreements, and if the user decides to press Cancel, Grokster’s installer nonetheless installs SearchLocate/SideBar and TVMedia. See the screen-shots below, taken from my video (WMV, 1MB) of the install process. (For best viewing, watch video in full-screen mode.)

C:\Program Files directory before Grokster installation begins.  Click to enlarge.


C:\Program Files folder before Grokster installation begins.
Sorted by date/time, ascending order. Latest entries:

Pressing Cancel in the Grokster installer.  Click to enlarge.  

The Grokster installer. I press the Cancel button.


C:\Program Files directory after Grokster installation is cancelled.  Click to enlarge.  

C:\Program Files folder after Grokster installation terminates.
Sorted by date/time, ascending order. Latest entries:

Notice new entries at the bottom of hte list: SearchLocate and TV Media.  These directories and their contents were created, after I pressed the Cancel button in the Grokster installer.

Equally outrageous are the extraordinarily lengthy license agreements Grokster and its partners ask users to accept. First comes a Claria license agreement that takes, by my count, 120 distinct screens (119 presses of the page-down key) to view in full. As shown in the Grokster installer, Claria’s license has grown to an incredible 6,645 words. So Claria’s current license is 43% longer than the US constitution — before we count the nine separate web pages Claria’s license references, some of them quite lengthy, but which Claria nonetheless claims are "incorporated by reference." Furthermore, Claria’s license is growing rapidly: When I prepared screen-shots of Claria’s license, as shown by Kazaa in June 2004, the license was 5,541 words long. If Claria’s license continues to grow by 20% every four months, it will be 11,500 words long in October 2005, and 34,300 words long in October 2007. Maybe Claria’s lawyers get paid by the word.

And it gets worse: Grokster installs other programs, with their own licenses, and Grokster shows these many licenses en masse in a subsequent screen. These licenses appear in a text box that, for whatever reason, doesn’t let me to copy its text to the clipboard. So I can’t know the precise word count of the licenses in this second box. But I do know it took 278 page-downs to view the entire license.

That makes a total of 398 page-downs for any user who wants to know what lies in store upon installing Grokster. 398!

This past week, the US House of Representatives passed two bills that purport to address the spyware problem. Would they do anything about Grokster’s outrageous activities?

Goodlatte‘s H.R.4661 prohibits unauthorized software installation — but only under specific, narrow circumstances. I can’t immediately say that SearchLocate/SideBar and TVMedia are used in furtherance of a Federal criminal offense, so Sec.2.(a) is inapplicable. And I can’t say that the programs intentionally obtain or transmit personal information with the intent to defraud, injure, or cause damage. Surely the programs’ authors would deny any such intent. So Sec.2.(b) is inapt too. Looks like Goodlatte’s bill wouldn’t help.

Bono‘s H.R. 2929 does prohibit the unauthorized software installation. Sec.2.(a)(4)(A) specifically bans installing software when a user declines installation. Score one for the good guys.

But suppose Grokster ended the truly outrageous installation of software even when users press Cancel, instead installing its bundle only when users press Accept. (Grokster will more than likely make this change after reading my article.) Then Grokster would be, I fear, substantially compliant with H.R.2929.

For 2929’s purposes, it doesn’t matter that Grokster installs so much software that it essentially ruins even an above-average PC. The bill’s Sec.3. approves of the installation of fifteen programs, or a hundred and fifteen, so long as the user is first shown a single notice that warns "This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?’ Or, thanks to a recent revision to the bill, the installer can show some other text, so long as it is "substantially similar," but even if it is more complicated, more confusing, or harder to understand.

I worry that Grokster can and will include the brief disclosure 2929 specifies, or an alternative text that makes the installation sound even more unobjectionable. Then all too many users will be tricked into accepting Grokster’s massive software bundle, and they will find their PCs grind to a halt under the load Grokster and its partners impose. Users will be running Bono-certified software, 100% compliant with relevant law (should Bono’s bill in fact become law). But their computers will be nearly useless nonetheless.

If I were revising Bono’s bill, I’d seek to tighten its requirements. I certainly wouldn’t permit watered-down "substantially similar" disclosures. I’d also prohibit the installation of a bundle of software, where the user requested only a single program, if that bundle has significant adverse effects on the speed and reliability of a typical computer, and if that bundle has no substantial relationship to the software the user initially requested. For bundled programs that show advertising, I’d require that the installation provide a sample of each kind of advertisement to be shown, and I’d require that the installation disclose the typical frequency of ad displays. In short, there are lots of creative ways to tighten the language, so that programs can’t satisfy the bill’s requirements while continuing to trick users into unwanted installations.

Instead, 2929 takes a narrower approach — admittedly stopping a class of outrageous behaviors, but letting all too many continue. Given the bill’s preemption of tougher state laws, this is legislation that, far from stopping spyware, in many respects makes the spyware problem worse.

Can we count on the Senate to close the loopholes in the bills as passed? News coverage suggests that these bills are a done deal already. And Congress has enacted weak legislation before (e.g. CAN-SPAM). So I’m not holding my breath.