Followup Comments by Eric L. Howes on the Problem of Spyware
After the FTC April 2004 Spyware Workshop

May 21, 2004

Federal Trade Commission
Office of the Secretary
Room 159-H
600 Pennsylvania Avenue N.W.
Washington, D.C. 20580

Re: Spyware Workshop - Comment, P044509

On April 14 Mr. Jason Lucas of C2 Media submitted a response to the several comments of others who discussed C2 Media's software. As one of the documents that I submitted provided an extended analysis of the installation practices of C2 Media's software (see "Anatomy of a Drive-by-Download," included in comment # 59 Howes 03/29/04), it is likely that Mr. Lucas was in part responding to my submission, though he does not point to my submitted comments specifically. Nonetheless, several of the claims that Mr. Lucas makes in his response merit scrutiny.

Mr. Lucas first addresses the question of whether EULAs (End User License Agreements) serve as adequate notice and disclosure to consumers of the functionality and behavior of the software they encounter on the web. Mr. Lucas writes:

It would appear that a number of consumers and companies contend that users should not be held accountable for their acceptance of a binding EULA because it was too long or too boring for them to read before they pressed "next." Such a position ignores the legal effect of binding digital contracts. To adopt that view would invalidate any online digital contract, including credit card purchases, online loan or mortgage applications and online banking. As with other contracts or agreements, there must come a point when the consumer has to be held accountable for his or her own actions. 

Anyone who has read my analysis of C2 Media's software installation practices as I encountered them at the web site will surely recognize that Lucas severely understates the problems that users experience with the EULAs that C2 Media and other advertising software companies employ as notice and disclosure. The problems with C2 Media's EULA go well beyond the document's being "boring." To summarize briefly, I noted that C2 Media's EULA:

  • was presented to users in confusing, deceptive circumstances;

  • contained EULAs and privacy policies for 8 different programs from 3 different companies;

  • was an incredible 8400 words in length (18 double-spaced pages);

  • buried key terms in long, dense, unreadable blocks of legalese;

  • neglected to provide a simple, readable summary of key functionality and terms.

Still worse, as I discovered after I submitted my original comments to the FTC on March 29, it turns out that my original figures on the length of the license agreement were wrong. When I performed my trials with C2 Media's software on Mar. 23, 24, and 26, the "Verification Box" that contained the EULA would not display the entire license. Thus, when I copied the license from the scroll box, I missed about 1000 words at the end of the license agreement. I discovered this problem on a retrial with the download.mp3.exe stub downloader on Apr. 10. During that partial retrial I used the Windows "Select All" context menu option to grab the entire license. The complete license agreement actually spans over nineteen single-spaced pages (almost forty double-spaced) and totals 9400 words.

Needless to say, Mr. Lucas's comments on the EULAs and other notice/disclosure practices used by C2 Media and others do not present a fair and accurate picture of just how difficult and confusing users find these installation practices. Indeed, if the consumers Mr. Lucas is complaining about were to actually take C2 Media up on its demand that they read the company's license agreements in full, C2 Media simply wouldn't have a business because most users would never make it through the hour or so of reading required. Still worse, Mr. Lucas is effectively demanding the impossible: consumers would not even be able to read the entire license agreement because the EULA scroll box used by C2 Media's software does not display the full text.

In my experience, the problems that I encountered with C2 Media's installation practices are quite representative of the inadequate, unscrupulous notice and disclosure practices of the advertising software industry more generally.

In his response Mr. Lucas also addresses the issue of uninstallers for advertising software products such as C2 Media's software. He writes:

I think it is important to address the issue of uninstalling advertising software -- specifically that created by C2 Media. I have read several consumer complaints stating they could not remove the adware once installed on their system. I believe the reason for this problem is the users' failure to run the built-in uninstaller that came with the software from the add/remove programs menu. Because of the undue fear created in the market place over advertising software, those users resort to anti-adware programs which improperly remove the adware and damage the installation files.

Because of such "removal problems," C2 Media has always had a separate stand alone uninstaller available on its website help page -- < #uninstall>. This uninstall program has been specially designed to remove even damaged installation of the advertising software. Moreover, C2 Media also has 24 hour "real human" e-mail assistance available to assist consumers with any uninstall difficulties they might experience. 

Later, he attempts to blame anti-spyware programs for causing problems for consumers:

It is important to recognize the harm the "anti-advertising" industry is potentially causing in this situation with the current incarnations of their anti adware software products. Rather than attempt to prompt the proper built in uninstall option for the adware product when available, some "anti-adware" software products attempt to forcibly remove the adware component, resulting in the removal of critical system files (and, in some cases, even the built in uninstaller for the adware itself).

Rarely do these anti-adware programs completely remove all of the components of the adware. Instead, they leave behind remnants or improperly functioning components of the original adware software, possibly resulting in damage to the user's computer. Had the anti-adware software used the built-in uninstaller available from add/remove programs file and prompted the user for interaction at that point, the built-in uninstaller for the adware would have been activated and would have properly uninstalled the adware package, thereby fully restoring the users computer to its original state before the adware was installed. 

Having tested C2 Media's software myself, I must point out several problems with what Lucas claims here. First, although C2 Media does supply uninstallers for its software, I experienced several problems uninstalling C2 Media's software during my tests:

  • The uninstallers left on my test system were not clearly and conspicuously marked and thus were difficult to locate and use.

  • Several of the applications installed as part of C2 Media's complete software package required me to track down separate uninstallers on the web -- not an easy task given that, in some cases, no URLs were provided to locate the appropriate web pages.

  • Most of the vendor-supplied uninstallers that I used simply failed to completely remove the applications that were installed as part of C2 Media's software package, requiring me to resort to anti-spyware software to remove what remained.

Second, however, my experience with the several well-known anti-spyware programs used in my tests suggests that these anti-spyware programs actually do a better, more thorough job of removing the advertising software bundled as part of C2 Media's software package than the vendor-supplied uninstallers. Far from doing harm or creating problems for consumers, anti-spyware software is often necessary because companies like C2 Media do not supply completely reliable uninstallers to consumers.

Mr. Lucas simply fails to give a complete and accurate picture of the notice, disclosure, and choice practices employed by C2 Media and the advertising software industry more generally. When the FTC is considering whether there is some marked difference between "spyware" and the self-described "adware" pushed on users by companies like C2 Media, it ought to bear in mind the several serious failings of Mr. Lucas's software.

Respectfully submitted,

Eric L. Howes

Related Documents    [return to top]

2004 Eric L. Howes