Just a few days ago, we had yet another report of a naughty affiliate distributing 180solutions software by an AIM worm that also installed a backdoor and rootkit, a rootkit scanner and a fake version of BitTorrent.
In the comments on that post, Sean Sundwall of 180solutions wrote:
2. We can confirm [as shown in Paperghost's blog] that the proper notification screen was shown and that user consent was required prior to our software being downloaded. In other words, NONE of these installs were "silent." They all required user consent.
3. However, as a show of good will, we took the extra step of using our new Closed Loop System technology to message each user who received the 180solutions software via the AIM worm, requiring them to re-opt in to the installation even though proper consent was obtained the first time.
I can imagine the bewilderment, frustration and anger a user felt when hit with the AIM worm and encountering these ugly spyware tricks. 180 says "proper" user consent was obtained, but under what circumstances? Did the user really give proper, meaningful and informed consent?
The term informed consent is most often used to mean consent for medical procedures where the patient is informed of all the consequences and possible complications of a procedure or treatment, possible alternatives to the proposed treatment and the consequences of not having the procedure or treatment. More generally, informed consent is defined as:
An agreement to do something or to allow something to happen, made with complete knowledge of all relevant facts, such as the risks involved or any available alternatives. (Emphasis mine.)
Without taking into consideration risks and available alternatives, let's see if 180solutions makes all the relevant facts known to a user before obtaining consent to install 180's software. Ben Edelman makes these points about 180solutions' installation practices:
- 180solutions is promoted at sites targeted to children. We know that children cannot legally enter into a contract, a child would not understand a EULA if they read it and could not give meaningful consent.
- The presence of 180solutions bundled software is shown in an off-screen footer without scroll bars.
- Lack of disclosure that 180's ads are shown in pop-ups and lack of disclosure of privacy consequences.
- License agreement shown in a windows that discourages careful review.
- Use of misleading button labels to encourage installation.
- Hiding standard Windows buttons that allow users to cancel installation.
- Use of prompts to discourage removal with false warnings about risks to other software.
Ben demonstrates in detail each of these problems with 180's practices. He charges that the "Safe and Secure Search" Confirmation Screen includes misleading statements, euphemisms, and material omissions and that 180's EULA does not meet industry standards.
Even under the best of circumstances, 180solutions gets a failing grade on its installation practices. Spyware researchers continue to see 180solutions software bundled in large infestations of spyware and adware where, as in the AIM worm attacks, users have little, if any, chance to give meaningful, informed consent. Surely 180 can do better.