Friday, March 25, 2005
Marxian Manifesto Madness
First and foremost is identity. Any adware producer should clearly identify themselves, not only in any installation attempt, but there should be updated contact information in any adware control panel that will enable anyone to contact the adware provider, either in the business or technical domain. This must be complimented by strong controls on code-signing (are you listening Verisign and other CAs?) that verify the company is who they say they are, that any digital certificates issued to the company are short-lived and that there is an ongoing recertification process by the CA to continue to verify that the holder of any certificate is indeed reachable. This could of course be a win-win proposition, in that it would allow for increased fees to the CA or such other agency that would vouch for the adware provider's identity (perhaps Choicepoint?) , and that any truly legitimate provider of adware would be glad to pay for to establish that it's being constantly vetted. As to the overall economics of the situation, somebody will end up paying those fees (the advertisers of course) and as to whether it would remain economically viable is a matter of conjecture. The stick of course is that whoever issues any identity documents to an adware provider is on the hook for the adware provider's actions, and if they go rogue, the affiant will get hung for any damages incurred.
The matter of identity can't be overstated enough, as any adware component must be clearly indicated with a positive indication to the customer that they are installing adware from XYZ Company, and that they are going to receive adware as part of the bargain in getting whatever else they've been promised. There's been some legal talk here and there that clicking an OK button is indeed an electronic signature indicating affirmative consent, but of course given the penchant for the installers to put phrases such as "Required Update" and the like in bold on the installers, the average PEBKAC will merely click and not think about the consequences. I would think that something requiring an affirmative response would be much more appropriate, for example the technique used by some web sites of presenting a distorted set of letters and numbers that must be keyed in by the user in order to proceed or access content, or for that matter requiring the user to respond to an e-mail, where they would need to click an URL and again affirm their desire to install the adware. Again, win-win situation. The adware guys are protected as they have a record of affirmative actions taken by someone to actually get the thing installed on their PC, the end users have multiple chances to stop any installation, and even just doing nothing will abort it.
Adware should have a control panel visible to the user, be it in the system tray, some application, or even an applet in Control Panel (pardon me for sticking to the Windows paradigm for purposes of this discussion). This control panel should have the ability to turn ads on and off at the user's discretion. Of course, if there's a program such as a P2P client or other such nonsense that depends on that adware running, it of course should have the option of refusing to start or shutting down if the ad generator isn't running. Fair is fair, after all. If the PEBKAC desires the use of that program, he/she puts up with the ads. Said control panel should also provide for the complete uninstallation of the adware. That means everything, DLLs, config files, data caches, registry entries, you name it. The program should also be uninstallable through the standard mechanisms (Add/Remove Programs) and in addition, there should be instructions for manual removal if all else fails (the vast majority of people won't be able to use regsvr32 but if they have a friendly techie nearby there will at least be a step-by-step checklist available on how to get rid of the thing). Absolutely nothing must be done in a stealth manner, everything must be done through the highest-level APIs possible.
The concept of an independent code review for adware is appealing, but probably wouldn't fly just on the basis of trade secrets, but the thought of putting someone on the hook for the code analogously to Underwriters Labs for electrical equipment is appealing. The question is who would best be capable of doing such reviews, and what would such reviews entail. The purveyors of certifications such as TRUSTe, BetterWeb and WebTrust would probably be logical places to look first, but their own risk management rules would probably prohibit them from engaging in this "do no harm" certification, which of course would entail lots of integration testing in various configuration permutations. In essence, this would involve creating a new insurance product, but the carrot and stick would be carefully defined in such a way that any failures demonstrably linked to an adware product will have consequences for both the adware producer as well as its certifier/insurer/assurer. Needless to say I can easily envision no-fault laws quickly being drafted if such measures were taken.
The behavior of adware would need to be carefully defined. The Hippocratic paradigm of first doing no harm would be essential, so at least the following characteristics would have to be required of any adware program approved for general use:
- Not to obscure or interfere with any other open programs on the desktop environment. Simply put, no windows for GM products obscuring your attempt to view the Ford site. Something along the lines of a small sticky note sized window (in a corner or a user-defined location), possibly flashing to get your attention (in the same manner as a program with an open dialog box might flash the taskbar) might be acceptable if unobtrusive enough
- Not to transmit any identifiable URLs to a central database. I know it'll seriously undermine the data mining that they want to ahem, add value to their ahem service, but there may be session IDs, CGI parameters and the like that aren't stripped out when reporting. I would imagine that aggregated domain information would probably prove acceptable (I don't think that anyone would much care if adware said Joe Shlabotnik checked CNN eight times today, but a deep-dive into the URLs is bordering on unacceptable. Imagine checking your portfolio and having the URL reported to a central database and suddenly getting targeted investing spam.....
- Not to hook the keyboard interrupt. Goes without saying, as you're dangerously close to a keylogger here, and not everything is for data mining purposes.
- Limit the amount of ads served up. Even though they're getting increasingly longer on commercial TV, there should be a finite number of ads served up in any given time period. I would suggest that a maximum of one ad in ten minutes would probably be the absolute upper limit. Anything more will degenerate into annoyance or confusion for the user who might actually be trying to do something useful. Once an ad is dismissed, it should stay dismissed.
- Allow types of ads and individual advertisers to be banned by the end user. Goes without saying, as ads for porno shouldn't be popping up when the kiddies want to see Mickey Mouse. Bans should be pervasive and cannot be lifted remotely by the adware provider.
- No undocumented APIs should be used in the software or in its installation process. In other words, no rootkit installations.
- There should be no obfuscation of the adware's location, filenames and registry keys. Filenames should not be randomly generated for purposes of frustrating removal or disabling the software. All GUIDs associated with the software shall be published so as to facilitate troubleshooting systems impacted by installation of the software.
- There should be no changes or impairment to system function by the adware. Specific no-nos would include installation of hosts file entries designed to redirect legitimate traffic to affiliated adware sites, changes to the IP protocol stack, installation of any Browser Helper Objects, installation of dialers, installation of any toolset designed to limit the functionality of the system with respect to its status prior to the adware's installation, no attempts to "phone home" other than to pass non-identifiable aggregated data (an unlikely scenario, as the source IP addy will be quite visible on the receiving end, therefore it will still be somewhat identifiable), no attempts to download and install updates or upgrades to the adware without the express consent of a privileged system user, and no attempts to download or install any other adware or similar software
A quote unquote legitimate adware provider should be required to be an active participant in computer security efforts, as their systems do provide a new infection vector for various net nasties, and increasingly often, virus writers deliver adware as a payload in addition to their other nasties, so the onus should be placed on adware firms to cooperate with CERT and the like to provide uninstallers and other toolsets to facilitate any unintended installation of their software. Then again, those virus writers who are doing this sort of thing are delivering payloads from companies that are definitely operating on the shadier side of the curtain (iDownload, anyone?), so it leaves open the possibility of a "joe job" being done against an adware company that might indeed be playing by the rules.
I would imagine that some adware companies might actually approve of some of these suggestions, particularly the more visible ones such as Claria and Cydoor in order to legitimize their perception, and there have been some steps taken such as joining COAST (an anti-spyware consortium), but given the track records, there's a perception amongst the user community that this is a window-dressing tactic. The bottom feeders will of course operate on the outskirts of any legal framework imposed, and the marketing lobbyists will fight any such attempts to impose sanity on these cowboys with all of their considerable resources.I'm shagged out from ranting so much.
And since the title of this prolonged squawk demands it, the one, the only....