Security experts welcome adware fines

Security experts have welcomed a legal settlement that has held advertisers responsible for adware for the first time in the US.

Communications company Cingular Wireless and travel company Priceline agreed on Monday to pay fines of $35,000 (£18,000) each for promoting products and services through adware. Travel company Travelocity agreed to pay $30,000 (£15,000).

According to the New York Attorney General's Office, the adware — software that automatically displays adverts to a computer user — was "deceptively installed" on users' machines.

"Advertisers will now be held responsible when their ads end up on consumers' computers without full notice and consent," New York Attorney General Andrew Cuomo said in a statement. "Advertisers can no longer insulate themselves from liability by turning a blind eye to how their advertisements are delivered, or by placing ads through intermediaries, such as media buyers. New Yorkers have suffered enough with unwanted adware programs and this agreement goes a long way towards clamping down on this odious practice."

Priceline, Travelocity and Cingular Wireless agreed to pay the fines to the State of New York following an investigation by the New York Attorney General's Office into a company called Direct Revenue.

In a lawsuit filed in April 2006, Cuomo alleged that Direct Revenue installed adware programs onto millions of computers worldwide that delivered a steady stream of advertisements, monitored websites visited by users, and collected data typed into web forms — without adequate notice to or the consent of consumers.

In addition, the adware programs were difficult to remove, and consumers who had previously downloaded the company's programs without being given full notice and consent, known as "legacy users", continued to receive Priceline, Travelocity and Cingular ads through those programs. The Attorney General discovered that Priceline, Travelocity and Cingular, among others, spent hundreds of thousands of dollars delivering ads through Direct Revenue software.

Simon Perry, vice president of security strategy for CA, said on Wednesday that companies should be held accountable for adverts displayed through adware, as legitimate marketing spend is playing a key role in supporting the adware business.

"If you follow the money, it's legitimate marketing spend that's supporting the creation and delivery of adware to people's screens. It's an undesirable industry that's being fed. There should be accountability, through that money trail," Perry told ZDNet UK. "Adware only exists to turn a profit, and legitimate companies are feeding that model."

Perry added that adware is undesirable for businesses because third-party applications are running on machines and transporting information out of the company, which comprises a privacy breach. The applications can be difficult to remove.

Adware is also undesirable for systems administrators as it uses up bandwidth and generates helpdesk calls, and is undesirable for end users as it subverts browser sessions, records information about browsing habits, and collects information typed into web forms, which is a breach of privacy, said Perry.

Perry said that adware could also harm a brand, as ad content and the method of delivery are often not separated in people's minds.

"In the mind of the consumer there is a negative reaction to the company because of the method of delivery," said Perry. "If someone put up a billboard in front of Stonehenge, and I paid for a CA advert on it, people would have a negative reaction to CA, and regulators would hold us accountable."

Monday's agreements require that Priceline, Travelocity and Cingular Wireless deliver online ads only through companies that:

• Provide full disclosure of the name of the applicable adware program and any bundled software
• Brand each advertisement with a prominent and easily identifiable brand name or icon
• Fully describe the adware and obtain consumer consent to both download and run the adware
• Make it practicable for consumers to remove the adware from their computers
• Obtain consent to continue serving ads to legacy users
• Require their affiliates to meet all these same requirements

The agreements also require Priceline, Travelocity and Cingular to engage in due diligence with respect to selecting and utilising adware providers. Prior to contracting with a company to deliver their ads, and quarterly thereafter, the companies must investigate how their online ads are delivered. The companies must immediately cease using adware programs that violate the settlement agreements or their own adware policies.