Yesterday, in an update to my post about the ongoing Microsoft/Claria rumors, I wrote:
The real story is that Microsoft has decided that high-profile adware makers who achieve a minimum threshold of disclosure (including Claria and WhenU) will be able to get an “Ignore” rating.
Microsoft earned a tremendous amount of goodwill earlier this year when it released a beta version of Windows AntiSpyware. That goodwill is vanishing at an alarming rate thanks to the rumors that Microsoft plans to buy Claria, a company that made its fortune as a leading distributor of spyware and adware. To compound the problem, Microsoft apparently relaxed its standards for certain high-profile adware companies, Claria included, earlier this year. This post details how much damage Microsoft is doing to itself and offers two admittedly controversial recommendations for how they can recover.
There’s no doubt that Microsoft has lightened up on some big names in the spyware/adware business. You can see some examples at the Sunbelt Blog, which is run by a company that sells a version of the GIANT AntiSpyware software that Microsoft purchased late last year and has repackaged as Windows AntiSpyware. Sunbelt’s Alex Eckelberry reports, accurately:
[W]e have reports now that there are a number of other items that have been downgraded to “Ignore” status, including certain WhenU adware programs, WebHancer and Ezula Toptext. So the Claria downgrade is quite likely part of a bigger picture regarding Microsoft’s listing criteria for adware.
Here’s the result of a scan I did just a few minutes ago on a system that has Claria’s GAIN adware components installed.
The software used to recommend removal. Now it says “Ignore.” Why was this change made? In a “Dear Customer” letter at Microsoft’s Security site, the Windows AntiSpyware team tries to explain and fails miserably:
As you may know, the analysis of software is based on a single set of objective criteria, which can be found on our web site: Windows AntiSpyware (Beta): Analysis approach and categories.
Microsoft offers all software companies the opportunity to request a review of how Microsoft classifies their products through our vendor dispute process. In January, Claria filed a request for Microsoft to reevaluate some of its products. Upon review of their software against our criteria, we determined that continued detection of Claria’s products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors. At the end of March, we communicated to Claria the result of our analysis through our standard process.
We take software analysis for Windows AntiSpyware (Beta) very seriously and handle all vendor requests in the same manner. All software is reviewed under the same objective criteria, detection policies, and analysis process. Absolutely no exceptions were made for Claria. Windows AntiSpyware (Beta) continues to notify our users when Claria software is found on a computer, and it offers our users the option to remove the software if they desire.
That sounds good, but it doesn’t pass the smell test. Why not publish Claria’s request and Microsoft’s response so that customers can understand what changes were made and why? And why claim that there is a strict set of rules, when there’s no such thing? If you follow the link that Microsoft provides, you get to a well-written white paper that in fact does not include a “single set of objective criteria.” Here’s the relevant portion of the white paper. I’ve highlighted (in red) the parts that directly fly in the face of Microsoft’s claim to be applying objective criteria:
Microsoft researchers use the criteria categories described in this white paper to determine whether a program should be added to the definition library for detection, and what classification (type, risk level, and recommendation) would be appropriate.
The criteria categories include, but are not limited or restricted to:
- Deceptive behaviors: Includes problems with:
- Notice and consent about what is running on the user’s machine;
- Control over the actions taken by the program while it is running on the machine; and
- Installation and removal of the program from the machine at the user’s discretion.
- Privacy: Issues in collecting, using, and communicating the user’s personal information and behaviors without explicit consent.
- Security: Negative impact on the security of the user’s computer or attempts to circumvent or disable security, including but not limited to evidence of malicious behaviors.
- Performance Impact: General impact on performance, reliability, and quality of the user’s computing experience (e.g., slow computer performance, reduced productivity, corruption of the operating system, or other issues).
- Industry and Consumer Opinion: The software industry and individual users play a key role in helping to identify new behaviors and programs that could present risks to the user’s computing experience.
The context, intent, and source of the program are taken into consideration in determining whether certain criteria categories apply. For example, antivirus or firewall software that automatically starts (autostarts) without user input can be useful for helping to detect and block malware. In other cases, system services (such as print spoolers) may run in the background with limited or no user interface but have widely-accepted, legitimate purposes. Many legitimate programs could be flagged if criteria categories were applied without considering the context, intent, and source of the software.
Note that Microsoft reviews the behaviors of programs installed not only by the software vendor but also by its third-party affiliates to determine whether the software vendor and/or its affiliates should be included in the definition library.
Because new forms of software and their related behaviors evolve rapidly, Microsoft and other anti-spyware vendors need to be able to respond quickly and adjust classification criteria appropriately. Therefore, Microsoft reserves the right to adjust, expand, and evolve its criteria for analysis without prior notice or announcements as these new threats materialize.
In other words, someone (or a group of someones) at Microsoft decide, on a case-by-case basis, whether a particular piece of software should be included on the detection list, how it should be classified, and what action should be recommended for the user when the result is displayed after a scan. That’s reasonable. But it’s not what Microsoft is telling us, its customers.
If you follow the Microsoft links, all you know is that Claria complained, Microsoft reviewed its classification, and a change appeared in the list. Microsoft knows why. Claria knows why. Microsoft customers know nothing. Was the original classification wrong? Did Claria change its behavior in some significant way that caused Microsoft to re-evaluate its classification? Was there another reason for the change? Ben Edelman has an excellent summary of how badly Microsoft is screwing up:
Has Microsoft given in to vendors’ threats? Or forgotten how badly “adware” damages the Windows experience (ultimately encouraging users to switch to other platforms)? I’ve previously been impressed with Microsoft’s AntiSpyware offering; I’ve often used it and often recommended it to others. But screw-ups like this call Microsoft’s judgment into question. During this sensitive period, with Microsoft unwilling to deny the continued Claria acquisition rumors, Microsoft should be especially careful to put users’ interests first. Instead, Microsoft’s recommendations cater to the interests of the advertising industry. I’m not impressed.
Microsoft isn’t providing any details about the reasons for its decisions. And that’s the problem: No transparency. Microsoft doesn’t give customers any reason for them to trust Windows AntiSpyware to classify potentially unwanted software accurately and recommend actions that are in its customers’ best interests.
Scoble says Microsoft’s AntiSpyware team should start blogging. Perhaps. But if all they’re going to do is provide random explanations and swat at critics, that won’t do much good. A product like this requires formal communication with customers, first and foremost. I have two recommendations that Microsoft could adopt that would go a long way toward establishing an objective basis for that trust:
- Publish the Windows AntiSpyware database. Put it on the Web. Make it searchable. Provide a description of why each product is listed, how it’s classified, and what the recommended action is. Include a change log to document when classifications and recommendations change and why. Make the review process public. Ben Edelman has made this suggestion before, and I agree with it.
- Release control of the detection database to a truly neutral third party. If Microsoft controls the contents of the database, it will never be able to overcome the perception that it is basing its decisions on criteria related to profit and not on user needs. Create a nonprofit organization with an independent board of directors and well-qualified management, give it a charter, fund it through an endowment, and agree to indemnify it for any legal costs related to complaints over classification. Let that group build a spyware classification system using published criteria and feedback from customers. Publish the database under a Creative Commons license. If the organization providing this database has no commercial interest to provide a potential conflict of interest, the Clarias of the world would have quite a burden to overcome before they could establish that they’re being unfairly targeted.
How about it, Microsoft?