Court Says Anti-Malware Software Maker Immune From Lawsuit From Zango

from the thank-you-section-230 dept

Infamous adware maker Zango may finally be dead, but its lawsuits live on. You may recall a few years back Zango sued security software maker Kaspersky for calling its product "spyware." A court found that Kaspersky has every right to label the software as it feels is appropriate, noting that it's immune from complaints from Zango under section 230 of the CDA.

Zango appealed, claiming that Kaspersky shouldn't be immune because the CDA was only supposed to apply to websites, not software makers. The 9th circuit appeals court clearly disagrees and points out that this is exactly the sort of thing Section 230 should protect. It's always nice to see courts reaffirm the immunity granted by Section 230 -- especially since those protections have been under attack lately. Update: Eric Goldman has more.

15 Comments | Leave a Comment..

Sears Settles With FTC For Putting Spyware On Customers' Computers

from the customers-aren't-lawyers dept

You may recall a couple years back, a controversy over the fact that Sears appeared to be installing spyware on the computers of online customers who had agreed to join a "community." Sears insisted this wasn't true, and that it really was software to help create a community of shoppers -- but the evidence suggested otherwise. The FTC eventually got involved, and now Sears has settled the charges that it was unfairly spying on users without clearly indicating this to users. Sears insisted that because the fine print of the terms of service for joining the community said that it would track your online browsing, it was in the clear, but the FTC noted, accurately, that most users would not have gotten that impression from signing up. As Thomas O'Toole notes about this ruling:

I'm pretty sure that attorneys would understand the breadth of the consent covered by the phrase "online browsing." It means everything. The position taken by the FTC signals the agency's belief that consumers should not be treated like lawyers when it comes to privacy-related disclosures. The FTC also appeared to be concerned about the fact that the disclosure was buried in a lengthy privacy statement, which was displayed to the consumer rather late in the consent-collecting process.

This is a good thing. Customers shouldn't need to be lawyers to understand what it is they're agreeing to, and it's nice to see the FTC recognize that fact.

14 Comments | Leave a Comment..

Surreptitious Adware Company Zango Finally Shuts Down

from the about-time dept

Remember back in the days of surreptitiously installed adware/spyware? For the most part, those days are gone, driven out by better security, FTC crackdowns and more sophisticated users. However, one of the big companies in the space, Zango, hung around for years, and finally shut down.

The company, which was originally known as 180Solutions, raised millions from VCs who didn't seem to recognize just how hated the company was, and just how many of its installs weren't by choice, but through annoyance. Then, for years, the company kept trying and failing to shake the "spyware" label, always blaming "bad actors" in its distribution network, but doing little to actually stop any of those bad actors. At times, it even rewarded them or made ridiculous claims about how its software couldn't be used for sneaky installs any more, despite plenty of evidence to the contrary. Incredibly, the company merged with another infamous adware firm and renamed the new company after the firm's most hated app Zango. And then, of course, came the lawsuits and a settlement with the FTC, which the company didn't appear to live up to. Most recently, the company was supposed to have "reinvented itself" in the "casual gaming" market.

Of all things, I'd actually run into some folks from the company at a conference last year, where they were pitching their "innovative advertising solutions," but would clam up or use misdirection any time you asked them for specifics about who would see the ads and how the software had gotten on their computers in the first place. In the meantime, one of the company's founders has written up something of a post mortem, where he suggests that only 4% of their installs early on were "completely silent," but doesn't note how many weren't necessarily "silent," but were done through trickery or a lack of full info. He also blames others in the space for being worse, and getting a bad rap because of their actions. Eventually, he also admits that the company also never provided much value in exchange for the advertisements, and at least is willing to admit that the company's management "was brain-dead" and should have recognized this early on. It's a fairly open and honest piece on what happened, though I think he doesn't give nearly enough blame to the company itself. It was quite evident how problematic the company's actions were from a very early stage, and the fact that it continued right up until recently suggests this wasn't just a case of a few small mistakes, but a systematic culture at or around the company that encouraged those types of actions.

16 Comments | Leave a Comment..

Porn Shakedown Company Takes Its Business Model And Moves On

from the good-riddance dept

Last year, a company called Platte Media came to light in the UK, after it started running a slightly bizarre spyware extortion scheme. The company would suck users in with a site promising licensed blockbuster movies, then take users through a registration process that involved installing some adware on their PCs. It didn't actually have the movies, just some trailers, and drove users to pornographic content. If users didn't cancel the "trial" they'd unwittingly agreed to in the process, they'd start getting popups on their screen, demanding payment of subscription fees. But the company has now shut up shop in the UK, though it's not clear if it's because the company wasn't properly paying taxes or because of scrutiny from the country's Office of Fair Trading. The company says it's pulled out for business reasons, but nobody will likely care too much, as long as it just goes away.

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

4 Comments | Leave a Comment..

Bogus Spyware Scan Companies Held In Contempt Of Court

from the like-they-care dept

Earlier this month, we noted that the FTC had cracked down, yet again, on a company for putting up a bogus spyware scanner. The company would get people to their site where it would supposedly "scan" their hard drive for spyware. Of course, the scan was entirely bogus, and the scan would always tell you that your computer was rife with spyware. Then the site would tell you to buy its anti-spyware product for about $40. Of course, that anti-spyware product did absolutely nothing. The FTC ordered the company to shut down, but apparently the company is ignoring the order. It's now reached a point where a court has found the company in contempt and ordered it to pay $8,000/day until it complies. The execs in the company have had their assets frozen and the judge is now threatening to have them arrested. Sure, scamming may be easy money, but you would think these guys would at least shut down this operation and move on to some other bogus scam, rather than outright ignoring the court and the FTC.

Update: Now it comes out that these sites are using URL redirectors via Microsoft and the IRS to make people think they're legit.

6 Comments | Leave a Comment..

FTC Shuts Down More Bogus Spyware Scan Companies

from the here-we-go-again dept

A few years back the FTC shut down some scam fake anti-spyware companies that would advertise "free scans" of your computer and would then (of course) tell you you had spyware. The scam, of course, was that for a fee of only $30 or $40, you could buy their "software" that would supposedly rid your computer of spyware. Of course, your computer probably didn't already have spyware, and the software you bought certainly wouldn't do anything towards ridding your computer of any actual spyware. It looks like some new scammers have picked up where the old ones left off, because the FTC is announcing, yet again, that it's been able to shut down some bogus anti-spyware operations. Apparently, this operation was slightly more scammy, because advertising networks have stopped accepting ads for such bogus anti-spyware. So, instead, they pretended to place ads for legitimate companies, but then used some code to swap out the "good" ad with the bogus anti-spyware ad.

10 Comments | Leave a Comment..

Is The Original Spyware Company Finally Dead?

from the a-milestone dept

For nearly a decade, we've followed the changing business of what was originally called Gator. When it first launched, back in 1999, the company was offering an e-wallet product, and even though there were many such things on the market, Gator insisted that it was first. When it turned out that there wasn't much of a market for an e-wallet product, the company quickly morphed its business into popping up ads over existing ads -- which resulted in a whole bunch of lawsuits. It didn't take long before Gator realized that people didn't really want its software popping up ads, so it began tricking users into downloading. As many folks recall, Gator was one of the first real "spyware" companies -- tricking users into downloading a product that watched what they surfed and popped up ads.

As the whole spyware (the companies in the space preferred the adware label) got a bad name, Gator first threatened to sue anyone who called its product spyware, and then eventually decided to shed the baggage of the Gator name and renamed itself Claria. -- insisting that it was now a legitimate advertising firm. Except, the charges of spyware kept flying in Claria's direction. The company tried and failed to go public, and then, once again, insisted that it was getting out of the adware business and moving into "behavioral advertising" -- which, most people realized was just another term for what it had been doing in the past.

Plenty of folks were shocked when rumors started spreading that Microsoft wanted to buy Claria, though, the public backlash to the "leaked" rumor was so harsh that Microsoft very quickly backed away from those plans. So, without being able to IPO or sell itself -- and with a still awful reputation as a spyware provider, the company tried to change once again.

The company insisted (yet again) it was getting out of that old sketchy business, and tried to launch a "portal" that would provide relevant content based on how you surfed. In other words: it was still in the spyware business, just positioning it under a better name. The company did try and fail to sell off its traditional adware business.

After that, honestly, we hadn't heard much of a peep out of the company. Despite launching its portal to great fanfare (we were inundated with PR spam from the company about this great "portal" idea), it didn't seem to get any traction. We apparently missed the news that recently the company (through a somewhat complex transaction) changed its name, yet again, to JellyCloud. Basically, the same exec team started a new company just a few months ago, raising another $11.5 million, and then took over Claria, though carefully hid all connections to its past, claiming to be just another online advertising company.

However, Valleywag is now reporting that the company shut down this weekend (despite having just raised all that money, and not counting all the money it raised in the past). If so, it's a rather quiet end for the company that really did become synonymous with the "spyware" term, and helped create that whole space.

10 Comments | Leave a Comment..

UK Police Stop Phorm Investigation, As They Don't See Any Criminal Behavior

from the civil,-however.., dept

While American competitor NebuAd may be on the verge of shutting down, it appears that Phorm, the controversial clickstream tracking, behavioral ad company that focused mainly on the UK market, may be dodging a series of bullets. First, the government said that clickstream tracking could be legal if the situation was clearly explained to customers and there was an obvious mechanism for opting out. Now, UK police are dropping their own investigation of earlier trials with BT, which many believed were illegal because they were done with no notice to consumers at all, and no way to opt-out. That would seem to go against the government's earlier statements, but the police are saying that there's no evidence that this is a criminal matter -- which would leave this open to civil lawsuits from individuals who were impacted by the trials.

8 Comments | Leave a Comment..

Yet Another Company Sues Over Being Called Adware

from the yet-again dept

We've seen a few such cases in the past -- and they usually end with a judge telling the suing company to shove off, but here we have yet another company upset that its being labeled as an adware/spyware provider. In this case, it's a company called 7Search, which is suing McAfee. 7Search is claiming that McAfee's warning about "downloads" from its site having been "credibly" called adware or spyware are false and defamatory because 7Search no longer offers software for download off its site (though it apparently did in the past).

As Eric Goldman notes in the link above, just bringing these types of lawsuits tends to backfire. As we noted above, they rarely, if ever, win, and simply filing the lawsuit draws much more attention to the company -- often including reports from users about why they do think the software in question is adware or spyware. In the meantime, if 7Search no longer offers downloads, then it's not clear what it's upset about either, since it's not like the McAfee warning is going to stop people from downloading its software -- since, apparently, there's no software to download.

9 Comments | Leave a Comment..

Research Into NebuAd Finds Controversial And Potentially Illegal Tactics

from the not-looking-good dept

NebuAd is a company we've discussed before, that basically works with ISPs to use your clickstream data to send targeted ads. It's quite similar to Phorm, which has received plenty of attention for its questionable behavior over in the UK. Now, some researchers have looked into the details of what NebuAd really does... and it's not pretty:

NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the Web browser. NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit.... NebuAd breaks the rules of acceptable behavior on the Internet. It monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you've done, and if you even know that it's happening, it is impossible to opt-out of it."

Perhaps Charter Communications and other ISPs that have signed up for NebuAd should have researched things a little more thoroughly. Congress is already investigating the legality of something like NebuAd, and one assumes that a report like this may find its way to many of those politicians pretty quickly.

13 Comments | Leave a Comment..

What If Sneaky Adware Died And No One Noticed?

from the well-look-at-that... dept

Eric Goldman has a fascinating post, pointing out that the era of sneaky adware seems to be pretty much over. For quite some time, one of the biggest annoyances online for many users were surreptitiously-installed client side adware programs that would pop up unwanted ads while you did other things. However, it appears that a combination of factors have pretty much wiped them out. Legal rulings found that the surreptitious installs (either with no notice or misleading notices) were fraud. Companies were sued, fined and went out of business. Security firms got better at catching and blocking these programs, and the few remaining firms in the space moved on to other projects (though, some are equally questionable). Either way, most folks probably didn't notice, because they either learned to avoid the sneaky adware or they were already well enough protected from it. Yet, as Goldman points out, pretty much everyone (with the possible exception of Zango) is no longer in the business of tricking people into installing ad-spewing software.

Of course, Goldman points out that no one has let the politicians in on this news yet, as many are still pushing various anti-spyware legislation that probably doesn't matter any more. He also points out that this doesn't mean questionable ad activity isn't still happening -- it's just moved on from sneakily installing an application on your harddrive. That's why Phorm (a former client-side adware maker) is in so much hot water these days. Its behavioral ad targeting solution may not be the same as the surreptitious client side ad spewing software -- but it's still surreptitiously watching your behavior and displaying ads based on it.

14 Comments | Leave a Comment..

Anti-Spyware Companies Debate Blocking ISP-Injected Advertising

from the the-battle-continues dept

With a growing number of ISPs using services from companies like Phorm and NebuAd to inject ads into your web browsing based on your surfing habits, anti-spyware companies are starting to take notice and debate whether or not they should start blocking some of these activities. While there's no downloaded software, these services all use cookies to track your surfing habits, and anti-spyware offerings could certainly step in and block those cookies or more proactively warn users that their surfing data is being used in this manner. Considering how hard Phorm has worked to shed the "spyware" label it had been given in a previous life, the company can't be too pleased to hear about this development. Of course, it's probably more concerned with questions being raised about whether or not its service is even legal.

16 Comments | Leave a Comment..

British ISPs Hand Over Your Surfing Data To (Former?) Spyware Firm

from the privacy? dept

Earlier this month, we noted that three large UK ISPs had agreed to a questionable deal with a startup named "Phorm." The ISPs would share all of your surfing data with Phorm who would then target advertisements to you based on your surfing patterns. We raised some privacy concerns, and noted that Phorm's claims that it would anonymize the data were laughable, since every "anonymized" data set seems to get quickly de-anonymized. In the comments to that post, one commenter noted that the story was even worse, as Phorm was merely the reincarnation of a spyware firm that had made a rather infamous rootkit. Broadband Reports now has more on that story, noting that the firm has a very shady past. It makes you wonder why these big ISPs would link up with such a company and why more people aren't up in arms about what their ISPs are doing with their data.

8 Comments | Leave a Comment..

FTC Recongizes That Perhaps Spamford Wallace Likes To Spam People

from the i'll-have-your-spam-i-love-it dept

If you've followed the spam/scam space for a while, you know the story of Sanford "Spamford" Wallace -- the original big name spammer. He was proud of what he did, though eventually claimed to shut down and go legit, even trying to run a night club for a while. However, the allure of questionable internet marketing activities proved to be too strong, and before long he was back on track, this time in the spyware business. Eventually, the FTC fined him $4 million, though, they apparently drastically lowered the amount when he showed hardship. A year ago, it was discovered that soon after this settlement with the FTC, Wallace went right back to spyware distribution using MySpace. The FTC doesn't seem nearly as inclined to cut Wallace any slack this time around, as it's filed contempt charges against Wallace, demanding that he hand over all of the profits from his MySpace scamming. The filing reveals more details that show just how scammy Wallace was on MySpace. He didn't just set up 11,000 fake profiles, as mentioned in the original filing, but he also used phishing techniques to get other users' logins, and then used the logins to spam other MySpace pages with comments. On top of that, he installed software to make it quite difficult to delete those comments. All this effort paid off, apparently earning Wallace $555,850 in just six months.

5 Comments | Leave a Comment..

Sears Online 'Community' Still Looks More Like Spyware Than A Community

from the let's-try-that-again dept

Last month we wrote about how Sears and K-mart's websites both were urging people to join a "community," but that community didn't seem like much of a community at all. Instead, it involved quietly installing Comscore's tracking software without telling the user, and then tracking all of their web usage. Following all of this, a VP from Sears responded to CA's original post on the subject trying to refute the claims. However, well-known spyware researcher Ben Edelman has now weighed in on the subject, checking out this "community" and finding plenty to dislike. As the initial report noted, it's not clear at all to users that they're installing Comscore's tracking app, and even the few notifications that mention it are somewhat unclear. Given that both Edelman and CA have pretty clearly documented what's happening, it's hard to see how Sears can claim that the company "goes to great lengths to describe the tracking aspect."

15 Comments | Leave a Comment..

Adobe Spying On Its Customers

from the now-that's-just-not-very-nice dept

It's not all that surprising these days to hear about software companies having their software "phone home" in some manner or another, though it's often quite annoying. However, it looks like Adobe has taken this to a new level. As highlighted by Valleywag, Adobe's CS3 design software includes a system to provide your usage data quietly to a "behavioral analytics" firm named Omniture. Of course, it does this without ever asking you if you want some random company knowing every time you use this piece of software. While it may not be doing anything nefarious, this certainly has all the hallmarks of spyware, including the fact that it tries to (weakly) disguise the connection to Omniture by making it look like it's simply pinging your local network. It's really amazing that companies keep doing this type of thing thinking that people won't catch on. There may be plenty of legitimate reasons for tracking the usage of a piece of software -- but if so, why not be upfront about it and let the user of the software opt-in to sharing his or her data? Yet another reason to use a firewall that catches these sorts of sneaky outbound connections. Update: John Dowdell, an Adobe employee (and long time Techdirt reader) has replied in the comments, noting that he's talking to folks at Adobe to find out the whole story, but he thinks it's the "live update" function. I'm not sure I understand why a live update function would call an analytics firm -- or why the ping to that analytics firm should be disguised as a local network ping, but that's the story coming out of Adobe right now. Will update again if any more details become clear. Update 2: Further response from Adobe here. It explains what the connection does and also admits that the company should have done a better job making it clear.

60 Comments | Leave a Comment..

Sears.com: Join Our Community... So We Can Spy On Your Every Online Move

from the ouch dept

Rich Kulawiec writes in to let us know that Sears.com and Kmart.com (owned by Sears) have been inviting visitors to those sites to "join our community." However, rather than joining any actual community, what you appear to be doing is installing spyware that reports on your every move online. It's actually a trick to get you to install Comscore's tracking app. Comscore has been accused in the past of distributing spyware surreptitiously, which the company vehemently denies -- but it's hard to see how this is above board. It's certainly worse than Facebook's Beacon fiasco. What happens is that you are asked if you want to "join the community," and then, without clearly explaining what the software does, Comscore's tracking software is installed. After that, all of your online activities -- including to "secure" sites like banking sites -- is sent directly to Comscore, despite Sears' website insisting that none of the data you share will go to anyone but Sears. As for the "community," it doesn't seem like there is one. The security researcher who signed up for the community says that once the software is installed, there's no obvious indicator that it's installed or running -- and he received no "communications" from the so-called community whatsoever. Basically, it sounds like it's just a trick to get you to install this tracking software while hoping you'll forget about it.

19 Comments | Leave a Comment..

German Proposal Gives A New Perspective On 'Spyware'

from the big-brother-is-hacking-yo dept

A VoIP expert has unveiled new proof-of-concept software that allows an attacker to monitor other peoples' VoIP calls and record them for later review. Unencrypted VoIP really isn't very secure; if you have access to the raw network traffic of a call, it's not too hard to reconstruct the audio. Encrypted traffic is another story. German officials have discovered that when suspects use Skype's encryption feature, they aren't able to decode calls even if they have a court order authorizing them to do so. Some law enforcement officials in Germany apparently want to deal with this problem by having courts give them permission to surreptitiously install spying software on the target's computer. To his credit, Joerg Ziercke, president of Germany's Federal Police Office, says that he's not asking Skype to put back doors in its software. But the proposal still raises some serious question. Once the installation of spyware becomes a standard surveillance method, law enforcement will have a vested interest in making sure that operating systems and VoIP applications have vulnerabilities they can exploit. There will inevitably be pressure on Microsoft, Skype, and other software vendors to provide the police with backdoors. And backdoors are problematic because they can be extremely difficult to limit to authorized individuals. It would be a disaster if the backdoor to a popular program like Skype were discovered by unauthorized individuals. A similar issue applies to anti-virus software. If anti-virus products detect and notify users when court-ordered spyware is found on a machine, it could obviously disrupt investigations and tip off suspects. On the other hand, if antivirus software ignores "official" spyware, then spyware vendors will start trying to camouflage their software as government-installed software to avoid detection. Ultimately, there may be no way for anti-spyware products to turn a blind eye to government-approved spyware without undermining the effectiveness of their products.

Hence, I'm skeptical of the idea of government-mandated spyware, although I don't think it should be ruled out entirely. That may sound like grim news for law enforcement, which does have a legitimate need to eavesdrop on crime suspects. But it's important to keep in mind that law enforcement officials do have other tools at their disposal. If they're not able to install software surveillance tools, it's always possible to do it the old-fashioned way--in hardware. Law enforcement agencies can always sneak into a suspect's home (with a court order, of course) and install bugging devices. That tried and true method works regardless of the communications technology being used.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

8 Comments | Leave a Comment..

FTC Wants More Power To Fine Spyware Companies

from the a-little-punishment-could-be-useful dept

While the FTC has gone after some spyware/malware providers, they're somewhat limited by current laws over how much they can fine those companies. That's why we've seen stories of such firms getting fines that are a tiny fraction of the actual money they made. Now, the FTC is pushing Congress to change the laws to give the FTC the ability to actually punish these firms with large fines, rather than just being able to go after profits. The article linked here frames it as a debate over whether or not Congress should pass anti-spyware laws, but why can't the FTC use current laws concerning deceptive marketing techniques to punish these firms? Does it really need a special separate law that tries to define spyware?

11 Comments | Leave a Comment..

Ding Dong, DirectRevenue Is Dead

from the apparently-it's-tough-to-make-money-being-legit dept

DirectRevenue was considered one of the worst adware/spyware firms out there for many years. The company was famous for changing names every time people started to figure out how sleazy the company's marketing techniques were, and then repeatedly claiming it had cleaned up its practice of sneaky installs when the reality was that it kept doing the same thing. Eventually, the company was sued and paid a $1.5 million fine -- significantly less than the $28 million in profits the firm's founders apparently had made (and the $80 million the company had brought in over the years). Either way, now that the lawsuits appear to be done, and the fact that it's pretty difficult to make any money in that business without surreptitious installs, the company is shutting down. I'm sure the founders who walked away with all that money aren't too upset by it, however.

5 Comments | Leave a Comment..