Friday, March 25, 2005


Marxian Manifesto Madness

Despite my near-certainty that no Attorneys General nor other political movers and shakers read these pages, I thought I would present the outline of a manifesto regarding adware that might possibly be useful for some realistic form of legislation down the road. Realistically of course, any such legislation would immediately cause a relocation of any corporate presence of adware "providers" away from the jurisdictions in question (presumably offshore), however, a bit of teeth in the legalisms around it might actually force some form of equitable resolution. To be brutally honest about it, some form of legitimate pervasive adware is likely, perhaps not inevitable, but advertisers will do anything to get their message across (been to a movie lately?) and while there's still time, the situation should be addressed through strong legislation (sure to be opposed by every marketing constituency) that would make things a bit less onerous on the end user.

First and foremost is identity. Any adware producer should clearly identify themselves, not only in any installation attempt, but there should be updated contact information in any adware control panel that will enable anyone to contact the adware provider, either in the business or technical domain. This must be complimented by strong controls on code-signing (are you listening Verisign and other CAs?) that verify the company is who they say they are, that any digital certificates issued to the company are short-lived and that there is an ongoing recertification process by the CA to continue to verify that the holder of any certificate is indeed reachable. This could of course be a win-win proposition, in that it would allow for increased fees to the CA or such other agency that would vouch for the adware provider's identity (perhaps Choicepoint?) , and that any truly legitimate provider of adware would be glad to pay for to establish that it's being constantly vetted. As to the overall economics of the situation, somebody will end up paying those fees (the advertisers of course) and as to whether it would remain economically viable is a matter of conjecture. The stick of course is that whoever issues any identity documents to an adware provider is on the hook for the adware provider's actions, and if they go rogue, the affiant will get hung for any damages incurred.

The matter of identity can't be overstated enough, as any adware component must be clearly indicated with a positive indication to the customer that they are installing adware from XYZ Company, and that they are going to receive adware as part of the bargain in getting whatever else they've been promised. There's been some legal talk here and there that clicking an OK button is indeed an electronic signature indicating affirmative consent, but of course given the penchant for the installers to put phrases such as "Required Update" and the like in bold on the installers, the average PEBKAC will merely click and not think about the consequences. I would think that something requiring an affirmative response would be much more appropriate, for example the technique used by some web sites of presenting a distorted set of letters and numbers that must be keyed in by the user in order to proceed or access content, or for that matter requiring the user to respond to an e-mail, where they would need to click an URL and again affirm their desire to install the adware. Again, win-win situation. The adware guys are protected as they have a record of affirmative actions taken by someone to actually get the thing installed on their PC, the end users have multiple chances to stop any installation, and even just doing nothing will abort it.

Adware should have a control panel visible to the user, be it in the system tray, some application, or even an applet in Control Panel (pardon me for sticking to the Windows paradigm for purposes of this discussion). This control panel should have the ability to turn ads on and off at the user's discretion. Of course, if there's a program such as a P2P client or other such nonsense that depends on that adware running, it of course should have the option of refusing to start or shutting down if the ad generator isn't running. Fair is fair, after all. If the PEBKAC desires the use of that program, he/she puts up with the ads. Said control panel should also provide for the complete uninstallation of the adware. That means everything, DLLs, config files, data caches, registry entries, you name it. The program should also be uninstallable through the standard mechanisms (Add/Remove Programs) and in addition, there should be instructions for manual removal if all else fails (the vast majority of people won't be able to use regsvr32 but if they have a friendly techie nearby there will at least be a step-by-step checklist available on how to get rid of the thing). Absolutely nothing must be done in a stealth manner, everything must be done through the highest-level APIs possible.

The concept of an independent code review for adware is appealing, but probably wouldn't fly just on the basis of trade secrets, but the thought of putting someone on the hook for the code analogously to Underwriters Labs for electrical equipment is appealing. The question is who would best be capable of doing such reviews, and what would such reviews entail. The purveyors of certifications such as TRUSTe, BetterWeb and WebTrust would probably be logical places to look first, but their own risk management rules would probably prohibit them from engaging in this "do no harm" certification, which of course would entail lots of integration testing in various configuration permutations. In essence, this would involve creating a new insurance product, but the carrot and stick would be carefully defined in such a way that any failures demonstrably linked to an adware product will have consequences for both the adware producer as well as its certifier/insurer/assurer. Needless to say I can easily envision no-fault laws quickly being drafted if such measures were taken.

The behavior of adware would need to be carefully defined. The Hippocratic paradigm of first doing no harm would be essential, so at least the following characteristics would have to be required of any adware program approved for general use:

A quote unquote legitimate adware provider should be required to be an active participant in computer security efforts, as their systems do provide a new infection vector for various net nasties, and increasingly often, virus writers deliver adware as a payload in addition to their other nasties, so the onus should be placed on adware firms to cooperate with CERT and the like to provide uninstallers and other toolsets to facilitate any unintended installation of their software. Then again, those virus writers who are doing this sort of thing are delivering payloads from companies that are definitely operating on the shadier side of the curtain (iDownload, anyone?), so it leaves open the possibility of a "joe job" being done against an adware company that might indeed be playing by the rules.

I would imagine that some adware companies might actually approve of some of these suggestions, particularly the more visible ones such as Claria and Cydoor in order to legitimize their perception, and there have been some steps taken such as joining COAST (an anti-spyware consortium), but given the track records, there's a perception amongst the user community that this is a window-dressing tactic. The bottom feeders will of course operate on the outskirts of any legal framework imposed, and the marketing lobbyists will fight any such attempts to impose sanity on these cowboys with all of their considerable resources.

I'm shagged out from ranting so much.

And since the title of this prolonged squawk demands it, the one, the only....


<< Home

This page is powered by Blogger. Isn't yours?

Technorati search