how-to block ads
|
bedelman
Premium
join:2004-06-20
Cambridge, MA
| reply to eburger68
Problems with the new LavaSoft detection criteria
I carefully read the new TAC, as posted at »www.lavasoftnews.com/ms/research/tac.htm . I think the TAC remains a seriously flawed and poorly-designed. Let me explain.
Detection rules shouldn't be written in a vacuum. We've all seen what providers of unwanted software oten do, what behaviors systematically raise problems, what reforms are typical, and what issues often remain. Any sensible, helpful rules have to take into account the current points of contention and ambiguity -- the issues that have arisen time and time again. If rules are silent on these issues, they're unhelpful -- failing to give guidance toe the questions that inevitably arise.
So let's look at some example TAC criteria.
"Auto-updates without user permission and/or knowledge."
What does "user's permission and/or knowledge" mean? Does a EULA disclosure suffice to establish permission? Does a disclosure at the time of installation suffice to establish permission? Even if written in euphemisms? How about a permission granted only via a license shown in a link at time of installation, but never actually shown to users except upon their specific request? Or is the only permissible approach what legit companies do -- actually showing users some on-screen indication when an auto-update is to occur? I think this last reading is the most sensible and, conveniently, also the most pro-consumer. But there's so much ambiguity in the stated "rule" (if we can call it that) that it's far from clear what the rule actually means. Can Claria claim to update only with user permission because, when Claria was installed (potentially months or years before), a user had an opportunity to click a confusingly-worded link to view a license, that on page 25 of 50 would have mentioned an auto-updater?
"Connects to a remote system with or without the user's awareness to transmit usage statistics and/or personally identifiable information.
This statement raises all the same problems. Can a mere EULA suffice to establish a user's "awareness"? Even if that EULA is never actually shown? Or shown only in a tiny scroll box with dozens of pages of hard-to-read text?
I like the idea behind "Serves no discernable function other than as a vehicle for the distribution of advertising content." But what does "no discernable function" mean? How about "comes bundled with a P2P program that a user requested"? Is that a "discernable function"?
So, at every turn the TAC identifies behaviors related to what problematic programs do. But never does the TAC draw a real line in the sand. Implement this TAC, and you'll still get call after call from vendors claiming their EULAs grant them full permission to do everything they do. A better TAC would make it clear that users' supposed permission is not enough -- that when users are tricked into installing the software, via deceptive popups or confusing bundles, no "consent" can possibly be granted. Or if Lavasoft's position is that in fact a EULA is sufficient to permit all the behaviors described above, then why not come out and say so, so your users can then decide if that's the kind of company they want to count on for detection and removal services. | |
fatdcuk
Premium
join:2005-02-20
England |  thank you ben for this incite,also thank you for all your other efforts for our benefit.fight the good fight:) | |
jmorlan
Hmm... That's funny.
Premium
join:2001-02-05
Pacifica, CA
 ·Pacific Bell - SBC
| reply to bedelman
Re: Problems with the new LavaSoft detection crite
A good post and I'm going to give it a thumbs up.
The deeper problem as I see it, is that there are valid disagreements over what constitutes spyware, adware, malware, trackware, etc. This is why programs like AdAware and the others have such a poor score in removing it. It's similar to spam. I know it when I see it, but it's hard to write a program out-of-the-box that will recognize it without error.
I ran into a similar problem some time back when I had installed IESpyAd and found I was unable to download a program because the site had been blocked. Eventually that block was removed, but it's quite clear to me that there is a fine line between blocking rogue sites and allowing an expected normal surfing experience. This is one reason, I don't run SpyWareBlaster. I found it blocked too much for my taste without giving me a chance to decide. I still run Ad-Aware and SB S&D as stand alone scanners but do not enable any of the resident stuff. I also run WinPatrol resident, because I like the way it gives me the option to approve or disapprove of any critical changes.
Somebody posted a definition that said "If it installs itself without the user's consent and displays advertisements, it's spyware and should be detected/removed." This is way too simplistic. As you point out, what constitutes "consent?" Certainly current versions of WhenU would not qualify as Adware under that definition no matter how "consent" was defined.
It wasn't too long ago that I found a Trojan on my system. I sent it to my anti-virus company at the time (Norton) and they analyzed it but did not add it to their definitions because they determined it was not a "true virus." This type of arrogance is similar to what we are seeing with LavaSoft. It became clear that there was a need for dedicated Trojan detection apart from generalized virus scanners. Now there are a number of excellent choices in that market, a market created by the arrogance of anti-virus companies in the past.
I am confident that the market will continue to be a driving force in getting us the products we want. It's not easy producing anti spyware, when there are so many fuzzy areas, possible legal challenges, disagreements, etc. Anti-spam products are even tougher, because of the danger of false positives and blocking of critical email.
I suspect LavaSoft is guilty of bad judgment, just as I think Norton was guilty of bad judgment not including Trojans early on. The market will be filled by other offerings and informed people will make their own choices.
--
NewsPlex Discussion Group | |
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | reply to bedelman
Very good post. | |
JPCass
join:2001-01-23
Denver, CO
| reply to bedelman
Re: Problems with the new LavaSoft detection criteria
The other question this raises for me, is it good enough if a mal/ad-ware update routine puts up a window the first time it runs, with the "do not show this message again" box already checked, or even unchecked but available as an option? In my experience, it's too easy to accidentally mouse or keystroke through one of those windows that pops up unexpectectedly, and other users of a computer - particularly family members - may go ahead and complete of those windows without understanding the implications.
I'm starting to think that mal/ad-ware detection software has to include anything that "phones home" and other characteristics, regardless of how the user may or may not have consented to it at one time. Software that is relatively better about informing the user and giving them choices might be coded as a lesser threat, or even put in a different category, but it all has to be listed or else the lines between what's included and what's not are too problematic.
The key point that occurs to me, is that if mal/ad-ware detection software is going to be a truly useful inspection tool, it has to be able to generate a full listing of all mal/ad-ware and "phone home" software on the system, that was installed at any point by any user under any circumstances. Otherwise, it's not useful as a diagnostic, maintenance, or network management tool, only for use on a single-user system that it was installed on when the system was clean of mal/ad-ware to start with, and which is run by a user who understands the program and how mal/ad-ware functions. Perhaps that defines the distinction between a business/professional grade version, and a "personal" version that may be available for free download, but a company can't claim to be serious unless they take a thorough level of detection into account. | |
angryoracle
join:2005-01-27
Stratford, CT
| reply to bedelman
Re: Problems with the new LavaSoft detection crite
"Serves no discernable function other than as a vehicle for the distribution of advertising content."
I wouldn't personally want something like that on my PC either, but who are you -- or, looking a few years down the road as pressures mount for government to "do something" -- to tell me that an application with nothing but advertising is inherently bad? This anti-business refrain that has descended upon anti-spyware does an incalculable amount of damage, placing the emphasis on how awful advertising is rather than focusing on the only possible violation by the adware companies -- objectively proveable fraud.
Installation through security holes, Active-X that mislabels its contents, unspecified bundles, and the like certainly constitute this type of fraud. But Ben, when do you plan to hold consumers accountable> I know it seems like anti-spyware sacrilege to put any of the responsibility for this problem in the hands of individual Internet users, but some of it certainly has to fall there. When a EULA is misleading or blatantly dishonest, we have a problem, to be sure. But don't take the position of "Well, they're so long and boring, so accepting the terms isn't really accepting the terms." With equal logic, you could invalidate nearly every written agreement on the Internet, from mortage refinancing to investments to shopping.
I'm on your side, believe it or not. I want software applications that are genuinely deceptive, dishonest, harmful, and fraudulent in nature to be wiped off the Internet with the full force of focused legal action and technical responses. But this idea that all advertising, anywhere, is bad is what's stopping that from happening. Government has a penchant for jumping on bandwagons like the spyware problem as chances to look like they're "doing something." Often times, the problem is made worse by the actions that were ostensibly supposed to solve it. Let's have one, clear set of legislation with respect to spyware.
- If it installs unknowingly, by objectively proveable standards, it's illegal. If you can't get rid of it at will, it's illegal. If it performs anything other than what it specifies in a EULA that was clearly presented, or if anything in the EULA is in and of itself illegal, the application is illegal.
As far as detection standards, I think the framework proposed by Microsoft/GIANT does a great job. Let's just ditch the anti-business canard. | |
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
4 edits | quote:
Let's just ditch the anti-business canard.
Sigh, and out come the free-market "stop picking on the poor corporations" apologists.
How is a user stating they want an anti-spy/adware application that bans all spy/adyware - even the add-serving apps they may have agreed to in a 72 page EULA - "anti-business"? It's their time and their PC!
Have their decision to remove an adware-centric-app via an anti-spyware tool be the equivalent of "un-signing" the EULA, then disable dependant apps accordingly. They don't want your products or your ads! Move on!
How is a user stating they want their PC cleanup tool of choice to utilize consistent detection criteria - criteria that doesn't waver when a corporation whines - "anti-business"?
It's smart business! You're wasting your time pitching ads to these people! If they're using a handful of apps and an hour a week to clean their PC and shut your sales pitch off, take a hint! They don't want any!
Christ, marketing corporations dominate the news via regurgitated press releases, they ruin groups like COAST, they buy off legislators to craft friendly legislation, they bribe security vendors to weaken detection criteria....
And you want to make the handful of pro-privacy advocates like Ben Edelman out to be something negative ("anti-business") because they want a removal tool with integrity? | |
Aquias
@broadviewnet.net
| "to tell me that an application with nothing but advertising is inherently bad"
Yeah, I'm lazy so I'm not registering. That line, specifically that line, bothers me a great deal.
No one is stating that the program is inherently bad, people are stating they don't WANT it, big difference. There is also a big difference in how you're trying to argue this vs the reality of it.
ALL, at least any I've utilized, antispyware programs list out each entry and give you the option to remove it or to keep it. How is that not allowing you the choice to keep an advertising bit of software on your system? If all programs removed each entry, without user interaction, you'd have a case. What you're suggesting, although not directly, is that the exclusion of such a program is fine. Well, you've just taken away MY choice on whether or not I want it. All known malware (whether or not they're deemed "TAC" friendly) should stay within the program.
Once they become "friendly" they should be flagged differently by the program to allow the user to know that there may be a difference in the software detected vs the original definition.
Now, I do grant that a good point was made, we all should take the time to read the Eula. And I go through most of them, provided I have the time. But I shouldn't have to tear through each Eula looking for the one line that says "Oh, by the way, you're receiving these software packages and they must stay installed, enjoy".
If the EULA is going to be something these companies hide behind, as is their right, then the EULA needs to be re-worked to be a "readable" document. It needs to be broken out and made easier to read (IE Less legal speak and about 70 pages shorter).
Lavasoft had every right to delist WhenU. They did not have the right to try and sneak it "Under the radar", nor to ignore the outcry of the community at large for nearly a week (or was it longer?). That is where my biggest issue with them comes to light. | |
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
3 edits | That users don't want any of it is consistently ignored.
They're so afraid of looming laws that could impact marketing industry profits, they've drafted a set of talking points; namely:
1) Adware is good, it's spyware that is evil.
2) Pitching Adware is our god given right.
3) You clicked the 72 page EULA, too bad. Anyone who wants this junk off their PC now is "anti-business".
They ignore the fact you don't want any of it, whether it's called spyware or "Rhino-ware", or you wouldn't be fudging about with three removal apps and a handful of other tools, while avoiding applications such as Kazaa like the plague.
Pretty soon you'll be told if you remove adware, you don't support the troops. | |
|
