Select Page

Back in November, we expressed concern over TRUSTe’s plans for its “Trusted Download Program,” which should be going into beta very soon.

At the heart of the “Trusted Download Program” will be a whitelist of adware vendors whose practices satisfy TRUSTe’s requirements for notice, consent, distribution, and uninstallation. According to TRUSTe, this whitelist allows “market incentives” to “promote ethical behavior” among adware vendors seeking certification because the white list “will be used by companies beginning with program sponsors such as Yahoo!, AOL, Computer Associates, CNET Networks and Verizon as a tool to make business decisions about advertising, partnering or distributing software products.” In short, the idea is to dangle economic carrots in front of misbehaving adware companies in order to coax them into improving their naughty practices.

We certainly don’t doubt the attractiveness of this white list to adware vendors, many of whom have been scrambling for any scrap of legitimacy they can lay their hands on — loading up their web sites with empty “privacy pledges” and “certified spyware free” logos while issuing endless self-congratulatory press releases in which they celebrate their own “consumer friendly” self-reforms. Not surprisingly, there are signs that adware vendors are already lining up at the door in order to get white-listed.

Some, it would seem, can’t even wait for the door to open. Last week, UTcontextual, a British company that handles ad campaigns in Britain for a number of adware vendors, jumped the gun and issued a press release in which announced to the world that…

“the company confirms that all six contracted networks managed by UTcontextual, will strictly adhere to the TRUSTe download program.”

The press release even includes a laudatory quote from a certain “Tony Sullivan of Media Services” who remarked that

‘”UTcontextual has always delivered ethical advertising opportunities, and it is no surprise that they are first in the UK to publicly back the TRUSTe initiative.”

So just who are these upstanding partners of UTcontextual — partners whose practices have been so sterling that UTcontextual itself has “always delivered ethical advertising opportunities”? They are…

  • Best Offers (aka DirectRevenue)
  • eXact Advertising
  • Hotbar
  • Claria
  • WhenU
  • MetricsDirect (aka 180solutions)

Hardly what one might consider a list of angels, in other words.

DirectRevenue: Although DR has taken substantial steps in the past few months to improve its distribution practices, the company had to be dragged kicking-and-screaming to the point it would even consider serious changes. The subject of a class action law suit and well known (in the past) for threatening critics with legal action, DR gained notoriety last year for carpet bombing the internet with its much-hated “Aurora” program (remember nail.exe?).

Exact Advertising: Another well known adware vendor (Bargain Buddy, CashBack Buddy, Navisearch, BullsEye Network), eXact is also the target of a civil lawsuit over its installation and distribution practices.

Hotbar: This company’s poor practices were exposed last year by both Sunbelt and Ben Edelman..

Claria: Although improving its behavior over the past year or so, Claria’s practices still leave much to be desired (link here and here).

WhenU: The same holds true for WhenU, which has implemented significant reforms over the past year and a half, but which still has nagging problems, including several recent documented force-installs (link here and here).

180solutions: 180 has had no end of problems with unethical and illegal installations over the last few years. 2005’s list of bad installs and bad practices is staggering enough. But 180 has already seen several outbreaks of bad installs in 2006, the latest being through a security exploit. Ever optimistic, 180solutions has elsewhere expressed confidence that it will meet the Trusted Download Program’s requirements.

Given the history of this collection of adware vendors, how is it that anyone can claim that UTcontextual has “always delivered ethical advertising opportunities” — the kind of absolute statement which makes it sound like TRUSTe certification is an afterthought at best? And how can the company “confirm” with such certainty that all of its adware partners “will strictly adhere to the TRUSTe download program”? Not only is it TRUSTe’s job to “confirm” that adware vendors adhere to its standards, but to our knowledge TRUSTe hasn’t even initiated the application and certification process.

It’s just this kind of effort to exploit the TRUSTe program for publicity that gives us pause. Certainly TRUSTe cannot itself completely control the PR departments of adware vendors, and we don’t doubt that TRUSTe has anything but the most serious commitment to ensuring that vendors white-listed through the Trusted Download Program actually meet the program’s requirements. (The practical matter of whether TRUSTe can conduct the kind of thorough investigations required to issue and stand behind white-list certifications for adware vendors is another problem that troubles us.)

This press release is evidence, though, that the program is already attracting adware vendors with a long history of poor practices, a legacy installed base in part derived from these poor practices, and a penchant for exploiting any perceived mark of legitimacy. No one should be surprised at that the companies most desirous of certification and white listing are those who in many respects least deserve it. A similar phenomenon has plagued TRUSTe’s privacy seal program — sites with TRUSTe privacy seals are more likely to be privacy invasive than those without, as it is the privacy invasive sites that most value the air of legitimacy and consumer friendliness that such a seal confers.

Although TRUSTe has insisted that the Trusted Download Program is not be a “consumer facing” seal program, we fully expect that any adware vendor white-listed by TRUSTe will wield that certification as a stick against anti-spyware companies such as Sunbelt — an alleged “industry standard” certification with which Sunbelt is out of step should Sunbelt continue targeting that vendor’s adware programs. Thus, it’s worth reminding users, administrators, and adware vendors that even TRUSTe itself recognizes that anti-malware providers are not bound to respect TRUSTe’s own whitelist. TRUSTe’s “Program Requirements” document states:

“For example, TRUSTe understands that some potentially unwanted software applications may reach users’ computers, and that antispyware software will continue to provide a means of detecting and removing software that fails to meet the standards of the anti-spyware industry or the interests of anti-spyware consumers. TRUSTe hopes that antispyware companies will consider the whitelisting of a company as a useful input into their research efforts, but recognizes that antispyware companies may have different valid methods of evaluating programs and may consider additional relevant factors important to their users.: (“Program Requirements,” p. 2)

Moreover, the independence of Sunbelt’s spyware review process is explicitly established within Sunbelt’s Listing Criteria, which state:

“Although Sunbelt Software does consult and review the opinions and judgments of respected industry experts and leaders regarding the software it considers for detection by CounterSpy, Sunbelt is not obligated to agree with those other viewpoints, nor is Sunbelt obligated to recognize and respect third-party seals, logos, certifications, or classifications of any kind. As Sunbelt’s primary obligation is to its own customers, Sunbelt is bound to make its own independent decisions about software detected by CounterSpy.” (Link )

Put another way, despite what we anticipate adware vendors will be saying about the TRUSTe whitelist, Sunbelt will not be basing its targeting decisions on that white list but rather on its own Listing Critera. We would hope that adware vendors would recognize and respect the independence of Sunbelt’s review process, but we wren’t counting on it.

Eric Howes
Director of Malware Research

Note: this blog entry was updated on March 18 to include 180solutions (MetricsDirect) in the list of adware vendors mentioned in the UTcontextual press release.