2 edits | reply to eburger68
Re: Yahoo Gives Adware a Pass Hi All:
A new article from eWeek on the Yahoo Anti-Spy controversy:
Give Yahoo a Break on This Adware Controversy
»www.eweek.com/article2/0,1759,1606431,00.asp
If you were wondering just why those of us who went to the FTC's Spyware Workshop were making such a fuss about the attempts on Panel 1 to enshrine a definitional distinction between "adware" and "spyware," this is it -- because it leads to muddle-headed, ill-informed claims such as Larry Seltzer makes in this eWeek editorial. He writes:
said by Larry Seltzer:
So, adware is somewhat sleazy, but it's on a whole different moral level than spyware, which actually spies on you, or perhaps worse. And in fact, there are people who want to run adware. (...)
It's a shame that adware and spyware get associated so closely by being scanned for by the same products. They're not the same problems.
Seltzer's effectively bought into the spyware vs. adware dichotomy that the industry has been urging on anyone who will listen. The reason the industry prefers that terminology and that definitional distinction is that it encourages people to make unwarranted assumptions about a class of software to which somebody somewhere has attached the name "adware."
What unwarranted assumptions are at work here? Several:
1. "Spyware" spies, whereas "adware" doesn't.
Wrong. Plenty of "adware" collects personally identifiable information (PII) or monitors users' behavior on the Internet. Even though most advertising software (whether you classify it as "adware" or "spyware") does use a EULA of some sort, the notice and disclosure of key behavior and functionality is almost always inadequate.
Moreover, plenty of apps classified or dubbed as "spyware" don't "spy" at all, but that doesn't make them any less objectionable. CoolWebSearch, which has been wreaking havoc on the Net for well over a year now, technically doesn't "spy" on users -- it just hijacks their computers and inflicts unwanted garbage on them (see »www.spywareinfo.com/~merijn/cwsc···les.html ).
Bottom line: "Adware" cannot be distinguished from "spyware" on the basis of "spying." (By the way, this is Myth #1 in my "Ten Myths About Spyware" -- submitted to the FTC. See »www.staff.uiuc.edu/~ehowes/ftc-c···tm#myths )
2. "Adware" uses "consumer friendly" notice/disclosure/choice practices during installation.
Several of the panelists on Panel 1 at the FTC's Spyware Workshop were pushing exactly this line, arguing that "adware" is "presumptively legitimate" because it doesn't surreptitiously install behind users' backs and because it offers notice and disclosure of key functionality in the form of a EULA.
But there are several problems with this. First, the notice/choice/disclosure practices of most "adware" are completely inadequate and don't actually ensure that such software is installed with users' full and meaningful knowledge, consent, and understanding. This was clearly demonstrated by PC Pitstop's surveys:
PC Pitstop: Survey Says: Gator Users Didn't Know
»www.pcpitstop.com/gator/Survey.asp
»www.ftc.gov/os/comments/spyware/···stop.pdf (FTC comments)
PC Pitstop: WhenU Survey
»www.pcpitstop.com/spycheck/whenu.asp
»www.ftc.gov/os/comments/spyware/···stop.pdf (FTC comments)
Most WhenU and Gator "users" were completely unaware of the software on their systems.
Moreover, if one is going to classify Gator and WhenU as "adware" because of its "presumptively legitimate" installation practices, then you better be prepared for a long line of others to join them in the "presumptively legitimate" "adware" category, including C2 Media's Lop.com software, which also presents users with a EULA during installation. The differences between Gator's installation methods and Lop.com's are not that great -- certainly not great enough to warrant classifying Gator as "adware" and Lop.com as "spyware." Indeed, Jason Lucas of C2 Media claims that Lop.com is itself "adware" -- see Lucas's submitted comments to the FTC:
»www.ftc.gov/os/comments/spyware/···ucas.pdf
Still worse, as I noted in a previous post, Pest Patrol's definition of "adware" seems to be a functional definition, not one that is predicated on notice/disclosure during installation:
said by Pest Patrol:
Adware: Software that brings ads to your computer. Such ads may or may not be targeted, but are "injected" and/or popup, and are not merely displayed within the form of an ad-sponsored application.
Thus, no one at this point has any business assuming that just because Pest Patrol has categorized software as "adware" that it has deemed its installation practices "consumer friendly," because Pest Patrol's definition does not speak to installation practices.
And this brings us to the ultimate problem with the term "adware." The word "adware" is insisted upon by the industry and declared "presumptively legitimate." Others like Seltzer pick up the term and begin making all kinds of assumptions about software that's declared "adware," and the entire issue of installation practices then disappears.
This is exactly what the industry had hoped for -- that people (esp. journalists like Seltzer) would begin using the term "adware" uncritically to give its software a free pass without bothering to look carefully as the functionality and practices of the software in question. The industry declares "adware" "presumptively legitimate," and lo and behold people start regarding it as such, just because of the word "adware." This PR game is a classic bait-and-switch and simply encourages folks to the let meaningless words like "adware" do their thinking for them.
Bottom line: the "adware" vs. "spyware" dichotomy serves no purpose other than to confuse and mislead, and the whole distinction needs to be rejected outright. (By the way, this is Myth #2 in my "Ten Myths About Spyware" -- see »www.staff.uiuc.edu/~ehowes/ftc-c···tm#myths .)
Seltzer goes on to make several other ridiculous arguments:
said by Larry Seltzer:
I think they're morons, but I have, for example, run into users who really like those browser toolbars that come with adware built in. In some cases, the program will fail if you remove the adware. (...)
I tested the actual toolbar myself. Take a look at the nearby screen shot of the interface, as it tells the whole story (click on the button to see the whole window): Yahoo Anti-Spy doesn't scan for adware by default, but it couldn't have made the option to do so more obvious. Nobody could miss that checkbox. (...)
But I bet there are people who will be happy with this setting. It's entirely possible that the number of false positives they will get because of that checkbox is much less than with the standard PestPatrol, which does scan for adware by default.
Undoubtedly there are such people, but we shouldn't be making policy decisions about what to scan for by default in an anti-spyware application based on such a minority of users, esp. given that the application is targeted at users who are less than knowledgeable about these issues.
Again, PC Pitstop's numbers are telling (see above). Don't believe that the numbers of willing users are so small? Then take WhenU's own numbers. On Panel 1 at the FTC's Spyware Workshop Avi Naider claimed that of 100 million WhenU installations, 80 million had been uninstalled. It's a good bet that of the remaining 20 million installations, well over 90 percent will be removed once those users figure out how to give WhenU's software the boot. See pp. 53-54 of the FTC's transcript of Panel 1 at the Workshop here:
FTC Spyware Workshop Transcript
»www.ftc.gov/bcp/workshops/spywar···ript.pdf
Moreover, Yahoo does not give users any information whatsoever about "adware" and why it should or should not be included in a scan. Thus, the "adware" checkbox is a complete mystery. And cautious users who don't know any better could fail to scan for a wide variety of nasty applications -- see again Pest Patrol's listing of "adware":
Adware
»www.pestpatrol.com/pestinfo/adware.asp
And "adware" is what is driving consumer complaints about unwanted advertising software. This point was driven home by Bryson Gordon's presentation of McAfee's numbers about the "growth of non-viral threats" -- see:
»www.ftc.gov/bcp/workshops/spyware/gordon.pdf
Where the lines for keyloggers, spyware, dialers, and other exploits remained stable over the course of the past year, the line for "adware" soared, leaving no doubt as to what is driving consumer complaints about invasive software.
Sadly, Yahoo has apparently decided to force users to jump through one more hoop in order to scan for this software, and it did so primarily to protect its own commercial relationships. That kind of decision deserves our contempt and scorn, not excuses.
Eric L. Howes |
