People who regularly click through terms-of-service agreements without reading them later discover they've let advertisers and others access their computers.
By John Borland and Rachel Konrad
Virginia Watson unwittingly authorized a company she'd never heard of to install software that would help turn her computer into part of a brand-new network.
The software, from Brilliant Digital Entertainment, came with the popular Kazaa file-swapping program. But the 65-year-old Massachusetts resident--who has a law degree--didn't read Kazaa's 2,644-word "terms of service" contract, which stated that Brilliant might tap the "unused computing power and storage space" of Watson's computer.
"I have in the past read 'terms of agreement' and not retained a word," said Watson, who uninstalled Brilliant's software after learning about it recently. "I find them way too long. After scrolling down a few times, I just tend to give up."
Every month, millions of people agree to terms-of-service and privacy contracts they haven't read--and probably wouldn't understand if they tried--to download software without paying for it. Many are later disturbed to find their computers coopted by little-known companies to distribute advertisements, monitor online behavior, or help solve complicated computing problems.
Terms of service have long been a source of controversy, especially when they involve consumer privacy. But the issue was raised to alarming levels this month when consumers using the Kazaa program learned that they had unwittingly agreed to install software that could help turn their computers into nodes for a peer-to-peer network controlled by another company.
PC invasion has become the hidden cost of free software such as Kazaa and Audiogalaxy, programs that allow people to share digital music and other files online. Instead of charging consumers, or giving away software like music-swapping service Napster did before it was shut down, software developers are giving advertisers direct access to people's computers.
The stakes are high: Six of the top file-swapping software programs have collectively been downloaded more than 144 million times, according to the companies' sites and statistics kept by popular software-aggregation sites. Most of those downloads have been accompanied by "adware," software that often monitors Web browsing habits to generate ads based on the person's interests, or by other tracking software.
|Kazaa controversy: Software or sneakware?|
Kevin Bermeister, CEO, Brilliant Digital Entertainment
April 5, 2002
Negative publicity in the wake of the Brilliant-Kazaa controversy has some industry veterans worried that consumers will switch from mindlessly clicking "I agree" to staunchly refusing to accept terms of service. In that scenario, innovative software might not receive advertisers' support or distribution.
Brilliant, whose Altnet peer-to-peer software piqued consumer fears, says it is committed to telling people exactly how their computers will be used via new agreements and pop-up boxes as it loads more software and starts using consumers' computer resources. But others say the case underscores the vulnerability of millions of PCs to all manners of invasion, disclosed or otherwise.
The voyeuristic, potentially criminal, nature of spyware has united an unlikely lot: privacy advocates and adware proponents. They're both speaking out about privacy policies and terms-of-use contracts, while adware executives are taking pains to define adware and spyware.
"I'm not an extremist," said Robert Regular, vice president of sales and marketing at New York-based digital advertising firm Cydoor. "But all this talk of spyware is the equivalent of elevating one bad seed, and it's having negative consequences on the good software. The public doesn't have time to investigate if it's negative software; they'll just stop downloading...I would hate to think we could reach a point that, whenever a dialog box comes up and says, 'Do you want to do this,' bells go off and people become worried."
Mindful or mindless consent?
Privacy and security experts say advertisers and other bundled software distributors are exploiting people's mindless habit of clicking "I agree," and they worry that consumers are abandoning their rights with the click of a mouse. Much as the avalanche of spam in the 1990s prompted action from legislators and regulators, growing annoyance with this quietly bundled software has triggered a backlash that could help set ground rules for using consumers' computers.
"The question is not whether people read and understand (terms-of-service agreements)--of course they don't--but whether they can be enforced," said Cern Kaner, an attorney specializing in software legislation who teaches computer science at the Florida Institute of Technology. "I don't think that companies should have the right to spy on you without your actual permission, but I think it will be hard...to prosecute companies who do engage in this type of practice if you have actually clicked on an agreement that gives them permission."
Although people regularly click on such agreements, few scroll through the verbiage. In a survey last month of 155 adults by Richardson, Texas-based consulting firm Privacy Council, 76 percent of respondents said they were "concerned" about having their privacy violated on the Internet. Only 22 percent admitted to reading privacy policies. Among respondents ages 18 to 25--a core constituency for file-swapping software--only 8 percent read the policy.
Moreover, reading the policies does not automatically translate to understanding them. Like software license agreements for Microsoft Word or Windows, most privacy and terms-of-use statements that accompany bundled software are rife with impenetrable jargon and legalese.
Mark Hochhauser, a Golden Valley, Minn.-based psychologist and readability consultant, said clicking the "I agree" button at the end of consent forms reflects widespread trust on the part of consumers--not necessarily ignorance or illiteracy.
"Patients who are very sick can be given a 3,000-word consent form written by lawyers with the same level of complexity as these privacy notices," Hochhauser said. "The sick people usually just sign it without reading it because their doctor said it was OK. Same thing here: The reader thinks, 'The FTC would close them down if they were doing something really bad.' There may be a basic element of trust that people bring into this."
A "kindergarten version"
Stung by criticism in the media and on online bulletin boards, some adware companies are adopting "plain English" policies for their forms.
Redwood City, Calif.-based Gator, a popular free application that is supported by advertising revenue from its own bundled program, requires a marketing person to draft its terms of service. That person then sends the document to the legal department, which edits and returns it to the marketing department for revisions. The result is a three-paragraph statement that Chief Marketing Officer Scott Eagle calls a "kindergarten version" of the full policy.
"Does an uninvited guest keep knocking on your door saying, 'Hi! I'm here!'?" he asked rhetorically, describing Gator's multiple disclosures and the icon of alligator eyes that appears whenever the program is running. "No. We are invited guests on the desktop and even pop up a fourth modal screen saying, 'Your Gator software is here.' And since our e-wallet software helps users every day fill out forms, we constantly come back and have an ongoing relationship with our customers."
Gator has more than 300 clients, including four of the top six automotive companies and businesses that sell everything from mortgages to diapers. It sends an average of two pop-up ads per week to more than 15 million people.
"Honestly, I don't know any other ways of harassing the user, other than making the screen flash," Audiogalaxy CEO Michael Merhej said.
Nevertheless, industry executives say a handful of companies--which emerge and go out of business quickly and rarely publish physical addresses on their Web sites--are tainting adware's image.
Gator executives said they recently submitted a list of "best practices" to the Interactive Advertising Bureau, including recommended guidelines for consent and
Internet industry groups are taking up the cause from a technological standpoint. On Tuesday, the World Wide Web Consortium endorsed standards for protecting consumers' privacy on Web sites.
Blissful ignorance--so far
"You can't say with any certainty that click-wrap agreements are always enforceable," said Doug Isenberg, an Atlanta-based attorney and publisher of the GigaLaw.com Web site. "Many judges will look for a way to find that a click-wrap agreement is unenforceable if the terms of the agreement are not conspicuous."
The FTC is urging consumers with complaints to contact the agency. Staff members are particularly concerned that children are among the most voracious consumers of free downloads and that software companies don't prevent children from agreeing to terms that affect their parents' computers. That was partly why the FTC took action recently against a company whose software disconnected surfers' computers from the Net and rerouted them through a 1-900 number.
Congress has already enacted some consumer protection rules in other areas that could eventually apply to bundled software. For example, credit card companies must list the long-term interest rates for credit cards in a large font, and they can't hide even ordinary terms and conditions in small print.
Market forces may also provide an antidote to bundled software abuses. German software company Lavasoft has distributed at least 4.5 million copies of Ad-Aware, a free program that scans a computer memory, registry and hard drives for known adware and spyware.
"What we need is a private police force on the Internet to make sure the software you get has sufficient protections," said Privacy Council's Ponemon. "There's probably a really good business opportunity there."
From legitimate advertising companies with Fortune 500 clients to unethical hackers working in covert networks, organizations are eager to tap your computer. But advertisers, publishers, industry pundits and journalists rarely agree on definitions of the emerging niches of "adware" and "spyware," two forms of software that usually piggyback on another, more popular program. Here are some rough guidelines:
adware: This software installs itself after you click "I agree" or legally consent to having the program on your computer. The software might monitor your Web browsing habits or ask for your demographic data to generate "targeted ads" based on your interests. For example, an adware company could allow a pop-up ad about a Ford Explorer to appear on the screen while you were exploring the Jeep site. Adware may report data to a third party.
spyware: This software often installs itself without your consent. The software might monitor your Web browsing habits or record your passwords, credit card information or other e-commerce data. It usually relays the data to a third-party company or funnels the information for unethical purposes. It's usually difficult to find or delete from your hard drive.
|Below are the top 20 downloads for the week ending April 14, 2002 from Download.com*. Downloads that include bundled software or technology that will serve banner ads are in red. Those that try to purge adware are in green.|
*Download.com is operated by CNET Networks, publisher of News.com.
**Adobe's Web Buy feature, which allows you to purchase PDF files through online distributors, may transmit information about your computer to these third-party distributors.
Source: Download.com, News.com
|Kazaa network: Are you concerned?|
Service changes baffle Yahoo customers
Windows Media aware of DVDs watched
Peer to peer: As the revolution recedes
|Bill to revive political battle over Net privacy|
Los Angeles Times
Spyware, in a galaxy near you
PC World poll highlights privacy concerns
To make legal terms stick, make Web users click
|Editors: Mike Yamamoto, Evan Hansen, Julie Laing, Desiree Everts|
Design: Melissa Parker
Production: Mike Markovich