Yesterday, in an update to my post about the ongoing Microsoft/Claria rumors, I wrote:
The real story is that Microsoft has decided that high-profile adware makers who achieve a minimum threshold of disclosure (including Claria and WhenU) will be able to get an “Ignore” rating.
Microsoft earned a tremendous amount of goodwill earlier this year when it released a beta version of Windows AntiSpyware. That goodwill is vanishing at an alarming rate thanks to the rumors that Microsoft plans to buy Claria, a company that made its fortune as a leading distributor of spyware and adware. To compound the problem, Microsoft apparently relaxed its standards for certain high-profile adware companies, Claria included, earlier this year. This post details how much damage Microsoft is doing to itself and offers two admittedly controversial recommendations for how they can recover.
There’s no doubt that Microsoft has lightened up on some big names in the spyware/adware business. You can see some examples at the Sunbelt Blog, which is run by a company that sells a version of the GIANT AntiSpyware software that Microsoft purchased late last year and has repackaged as Windows AntiSpyware. Sunbelt’s Alex Eckelberry reports, accurately:
[W]e have reports now that there are a number of other items that have been downgraded to “Ignore” status, including certain WhenU adware programs, WebHancer and Ezula Toptext. So the Claria downgrade is quite likely part of a bigger picture regarding Microsoft’s listing criteria for adware.
Here’s the result of a scan I did just a few minutes ago on a system that has Claria’s GAIN adware components installed.
The software used to recommend removal. Now it says “Ignore.” Why was this change made? In a “Dear Customer” letter at Microsoft’s Security site, the Windows AntiSpyware team tries to explain and fails miserably:
As you may know, the analysis of software is based on a single set of objective criteria, which can be found on our web site: Windows AntiSpyware (Beta): Analysis approach and categories.
Microsoft offers all software companies the opportunity to request a review of how Microsoft classifies their products through our vendor dispute process. In January, Claria filed a request for Microsoft to reevaluate some of its products. Upon review of their software against our criteria, we determined that continued detection of Claria’s products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors. At the end of March, we communicated to Claria the result of our analysis through our standard process.
We take software analysis for Windows AntiSpyware (Beta) very seriously and handle all vendor requests in the same manner. All software is reviewed under the same objective criteria, detection policies, and analysis process. Absolutely no exceptions were made for Claria. Windows AntiSpyware (Beta) continues to notify our users when Claria software is found on a computer, and it offers our users the option to remove the software if they desire.
That sounds good, but it doesn’t pass the smell test. Why not publish Claria’s request and Microsoft’s response so that customers can understand what changes were made and why? And why claim that there is a strict set of rules, when there’s no such thing? If you follow the link that Microsoft provides, you get to a well-written white paper that in fact does not include a “single set of objective criteria.” Here’s the relevant portion of the white paper. I’ve highlighted (in red) the parts that directly fly in the face of Microsoft’s claim to be applying objective criteria:
Microsoft researchers use the criteria categories described in this white paper to determine whether a program should be added to the definition library for detection, and what classification (type, risk level, and recommendation) would be appropriate.
[...]
The criteria categories include, but are not limited or restricted to:
- Deceptive behaviors: Includes problems with:
- Notice and consent about what is running on the user’s machine;
- Control over the actions taken by the program while it is running on the machine; and
- Installation and removal of the program from the machine at the user’s discretion.
- Privacy: Issues in collecting, using, and communicating the user’s personal information and behaviors without explicit consent.
- Security: Negative impact on the security of the user’s computer or attempts to circumvent or disable security, including but not limited to evidence of malicious behaviors.
- Performance Impact: General impact on performance, reliability, and quality of the user’s computing experience (e.g., slow computer performance, reduced productivity, corruption of the operating system, or other issues).
- Industry and Consumer Opinion: The software industry and individual users play a key role in helping to identify new behaviors and programs that could present risks to the user’s computing experience.
The context, intent, and source of the program are taken into consideration in determining whether certain criteria categories apply. For example, antivirus or firewall software that automatically starts (autostarts) without user input can be useful for helping to detect and block malware. In other cases, system services (such as print spoolers) may run in the background with limited or no user interface but have widely-accepted, legitimate purposes. Many legitimate programs could be flagged if criteria categories were applied without considering the context, intent, and source of the software.
Note that Microsoft reviews the behaviors of programs installed not only by the software vendor but also by its third-party affiliates to determine whether the software vendor and/or its affiliates should be included in the definition library.
Because new forms of software and their related behaviors evolve rapidly, Microsoft and other anti-spyware vendors need to be able to respond quickly and adjust classification criteria appropriately. Therefore, Microsoft reserves the right to adjust, expand, and evolve its criteria for analysis without prior notice or announcements as these new threats materialize.
In other words, someone (or a group of someones) at Microsoft decide, on a case-by-case basis, whether a particular piece of software should be included on the detection list, how it should be classified, and what action should be recommended for the user when the result is displayed after a scan. That’s reasonable. But it’s not what Microsoft is telling us, its customers.
If you follow the Microsoft links, all you know is that Claria complained, Microsoft reviewed its classification, and a change appeared in the list. Microsoft knows why. Claria knows why. Microsoft customers know nothing. Was the original classification wrong? Did Claria change its behavior in some significant way that caused Microsoft to re-evaluate its classification? Was there another reason for the change? Ben Edelman has an excellent summary of how badly Microsoft is screwing up:
Has Microsoft given in to vendors’ threats? Or forgotten how badly “adware” damages the Windows experience (ultimately encouraging users to switch to other platforms)? I’ve previously been impressed with Microsoft’s AntiSpyware offering; I’ve often used it and often recommended it to others. But screw-ups like this call Microsoft’s judgment into question. During this sensitive period, with Microsoft unwilling to deny the continued Claria acquisition rumors, Microsoft should be especially careful to put users’ interests first. Instead, Microsoft’s recommendations cater to the interests of the advertising industry. I’m not impressed.
Microsoft isn’t providing any details about the reasons for its decisions. And that’s the problem: No transparency. Microsoft doesn’t give customers any reason for them to trust Windows AntiSpyware to classify potentially unwanted software accurately and recommend actions that are in its customers’ best interests.
Scoble says Microsoft’s AntiSpyware team should start blogging. Perhaps. But if all they’re going to do is provide random explanations and swat at critics, that won’t do much good. A product like this requires formal communication with customers, first and foremost. I have two recommendations that Microsoft could adopt that would go a long way toward establishing an objective basis for that trust:
- Publish the Windows AntiSpyware database. Put it on the Web. Make it searchable. Provide a description of why each product is listed, how it’s classified, and what the recommended action is. Include a change log to document when classifications and recommendations change and why. Make the review process public. Ben Edelman has made this suggestion before, and I agree with it.
- Release control of the detection database to a truly neutral third party. If Microsoft controls the contents of the database, it will never be able to overcome the perception that it is basing its decisions on criteria related to profit and not on user needs. Create a nonprofit organization with an independent board of directors and well-qualified management, give it a charter, fund it through an endowment, and agree to indemnify it for any legal costs related to complaints over classification. Let that group build a spyware classification system using published criteria and feedback from customers. Publish the database under a Creative Commons license. If the organization providing this database has no commercial interest to provide a potential conflict of interest, the Clarias of the world would have quite a burden to overcome before they could establish that they’re being unfairly targeted.
How about it, Microsoft?
No, I don’t see any contradiction between this post and the July 8 post. In fact, Boing Boing’s post was just flat-out wrong (and still is largely incorrect, even after its “correction”). There is nothing to support the suspicion that there was a quid pro quo for the change in classification for Claria. But Microsoft’s lack of transparency means that it is impossible to divine the real reasons for their actions, and the reality is that they will always be under a could of suspicion even if (if!) their motives are pure and their actions purely rational. That’s why publishing the database and turning over to a neutral third party is the best for all parties.
Publishing their inclusion processes online is not a bad idea at all, but I see no need for them to release control of their database to some independent watchdog. They are the most prolific software company in the world, and all the anti-business rhetoric aside, they are doing something right to gross annual sales of $40 billion and create software that the majority of the free world’s computer users voluntarily use day to day. They are not incompetent because a couple of adware vendors are detected but not flagged to your liking.
You want to design and make an antispyware program, Microsoft? Then make one that those companies cannot place trash on our computers without our knowledge and consent, regardless who they are or for what purpose. This is my computer. Only I, have the right to let things (adware-spyware) enter or run on it. Like tracing my surfing! None of their business, nor yours, etc, etc. Gain and many others, violate my (our) rights. They place trash on our computers, and it takes hours for us to delete the bull crap!!!! Make a program, antispayware, that keeps those boggers out!
Never trust Microsoft. They lied, lie, and will lie again. Its so called antispy is in itself a spyware.
Get away from MS !
We all know many inexperienced Windows end users just keep whatever is installed on their PC with Windows, and never bother to go looking for a better browser, for instance. Some even think changing their start page is too complicated…..
Many new users are scared to death to even look in the program files folder, or the registry, let alone uninstall/install a new program for themselves. So if MS says it is protecting their PC against spyware, adware, etc., they will blindly believe it. Then heave a sigh of relief and ignore all warnings they read on the net about spyware, etc. from then on, thinking they are 100% safe forever.
Normally only something like those warnings can get them to even try installing a security program of some sort for themselves. This should not be news to anybody. In fact, it’s downright predictable………….
So MS has (maybe?) decided to buy Claria. And they have decided to go into the anti-spyware biz, as well……..So the obvious question is, which decision came first, the one to buy Claria (or any spyware company, for that matter), or to make an anti-spyware program that millions of inexperienced Windows users will blindly trust?
I can’t help but think that even the most inexperienced users are becoming aware that something called spyware actually exists, and may somehow get on their PC without their being aware of it. There are a lot of good anti-spyware programs out there, as well as places to get free online scans for it. So I think it is getting a bit more difficult for spyware companies to put their junk on as many PCs as they would like to. The only way to get spyware on more PCs would be if the anti-spyware software ignored their junk for some reason……..
If a spyware company tried to buy anti-spyware software, distribute it, and claimed it would still be objective and honest towards their spyware, nobody would believe them.
In spite of all the vulnerabilities in IE, the vast majority of surfers on the net are still using it as their primary (or only!) browser. So a huge number of people would use MS AS as their only defense against spyware no matter how many spyware companies MS buys……Sad but true….And very predictable to MS before they decided to go into the AS biz or buy anything like Claria…..Coincidence?
Oh well….At least protect yourself, grab Mozilla Firefox, and you can never have too many anti-spyware/adware/hijacker/rootkit/etc. programs, use ‘em all.