The Spyware Warrior Guide to

Adware Installations of 2005
 

   
Overview
   
  Just over a year ago the Federal Trade Commission hosted a one day Spyware Workshop, which was attended by a wide variety of individuals representing a myriad of interests. That workshop signaled an important turn in the debate over spyware and adware, which had hitherto received little attention from regulatory authorities. The major players in the adware advertising space recognized the importance of the event, and a number of them either submitted comments or attended the event (e.g., Claria, WhenU, C2 Media).

In the one year since the FTC's workshop, the adware industry has making a great deal of noise about its great regard for the privacy of web surfers and its sincere intention to hold itself to high standards to preserve users' control of their own PCs and online experience (e.g., WhenU, 180solutions). The major adware companies have even advocated, set up, or joined industry efforts to establish "best practices" governing the installation and privacy practices of advertising software (e.g., OPA, CSWG, COAST).

The Question

In the wake of this activity, a great deal of effort has been devoted to examining the installation practices of advertising software (otherwise known as "adware"). Much of this effort on the part of researchers and critics has focused on identifying and exposing the worst sorts of installation practices -- "stealth installs" or "force installs," often performed through the use of security exploits, in which users receive absolutely no notice that advertising software is to be installed on their PCs.

As outrageous as such stealth "drive-by-download" installations are, we shouldn't neglect the mundane reality of spyware and adware, namely that the vast majority of it is still installed after users are presented with some form of notice and disclosure but are tricked, hoodwinked, bamboozled, or otherwise induced into "consenting" to the installation of software they would otherwise find objectionable. 

Thus, it becomes critical to examine closely the installation practices of adware applications that do offer some form of notice and disclosure, and to do so with an eye towards understanding just how users can be induced to "consent" to the installation of software they would otherwise not want. This task is especially important given that most of the major adware players claim that their installation practices are so clear, straightforward, and forthright that users must be actually indicating their knowing, meaningful consent when they click through installation screens that ask them to agree to the installation of advertising software. 

We hasten to add that we aren't the only ones who regard the installation practices of adware vendors to be a critical subject of scrutiny. In announcing its recent action against Intermix Media, the New York Attorney General tellingly singled out the notice, disclosure, consent, and choice practices of that adware vendor. Moreover, in its several filings (Petition, Affirmation) the Attorney General devotes a good deal of space to detailing the objectionable installation practices it encountered with bundled installs of Intermix Media's software found at mainstream web sites.

The Challenge

To examine the installation practices of the major adware vendors, we have tried to assemble not a "rogues gallery" of "stealth-installs," but a collection of adware installations that might initially appear to be substantially ethical and above-board. We have also looked for installations that we could present as somewhat representative of the typical installation practices used by the more reputable adware vendors. In other words, instead of looking for the "worst-of-the-worst," we went looking for installations that might fairly be said to represent the adware industry on its better behavior.

To do this, we have limited ourselves to bundled installs of adware from apparently reputable, mainstream web sites, because these are the most likely to employ carefully designed notice and disclosure practices. What you will see are not "force-installs" by CoolWebSearch variants through security exploits at porn and "warez" sites, but apparently innocuous installations of advertising software from the more reputable players (WhenU, 180solutions, Claria, among others) at web sites offering mainstream fare.

We have also decided to ask readers to evaluate these installations by using criteria offered by a leading advertising software company, one which many critics and commentators regard as a breed apart from most of its competitors in the adware space: Claria Corp., whose GAIN advertising software has nonetheless been the subject of heated discussion.

The Standard

In the comments it submitted to the FTC last April, Claria promoted three "core principles" for adware vendors to embody in their business practices: notice, consent, and control. Claria explained these principles thusly:

A. Notice and Consent.
The consumer's decision to install ad-supported software must be preceded by notice of the relevant aspects of the software and consent to its installation. If adware collects and relies on personally identifying information to serve ads, or if it collects and uses sensitive personal information such as financial account numbers or health-related information, this must be disclosed to consumers clearly, conspicuously, and unavoidably before consumers can choose to download the software.

B. Control.
Consumers should have the right to change their minds. In the context of adware, Claria believes that no decision by a consumer to install its software should be final. Consumers should be able to identify the source of the ads they get from adware they have installed based on a quick look at the text and graphics of the ads themselves. Consumers should also be given a means - also from the ads themselves - to be reminded why they received the ads, and to uninstall the ad-supported software that generates the ads if they so desire. The uninstall procedures of the ad-supported software should be simple, easy to understand, and consistent with the way consumers uninstall software that is not ad-supported generally.

With those "core principles" in mind, we ask readers to review the example adware installations that we have assembled and make up their own minds as to whether the adware industry has made significant progress in cleaning up its business practices.

   
Menu of Installations
   
  At the present time, we have assembled three representative adware installations:
   
 
1.  Homer & Bart Desktop Theme
 
2.  Good Luck Bear Desktop Theme
 
3.  KiwiAlpha

Note: all three of the adware installations documented in the pages listed above have changed since these write-ups
first appeared, so problems detailed on those pages may not reflect the current state of those installations.

 

  Each involves a "free" software program that bundles multiple adware programs from a variety of advertising software vendors. Each installation is examined in some detail, with a generous helping of screenshots and extracts from End User License Agreements (EULAs) and Privacy Policies. And each installation was performed during the last week of April 2005.

We anticipate adding more example installations in coming months.

Note: readers looking for still more examples of sub-standard adware installation practices should review Ben Edelman's ongoing "Misleading Installation of the Week" series of articles.

   
Going Forward...
   
  It is our firm opinion that the advertising software industry should be judged on the basis of its actual practices, not vague promises about future plans to improve its behavior or empty vows to respect the privacy and choices of web surfers. The adware industry has been in existence for five years now, and it has had plenty of time to get the advertising-supported software model right. 

We invite readers to take a close look at the example adware installations we have assembled and ask themselves whether they think the business practices on display represent the kind of high standards that web users rightfully demand from software providers. Do these installation and privacy practices represent the kind of behavior that we would expect from an industry that has been promising for years now to clean up its act?

   

Copyright 2005 Eric L. Howes